Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Undeletable Users and Folders on Win 7-64 bit


  • This topic is locked This topic is locked
32 replies to this topic

#1 zse45tgb

zse45tgb

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 June 2017 - 03:37 PM

I first noticed my problem when using Firefox's 'Open Link in New Tab' right click option while reading news articles seemed slow to respond. While it may or may not be related, it is what started my search. I ran MBAM, Avast, Avast Boot, and SUPERAntiSpyware scans which all reported no problems, except SUPERAntiSpyware's tracking cookies. When I did some searching I found 2 users that should not exist, and trying & failing to delete these users is what led me here. Those users names seem to change slightly day to day.
I am the only person with physical access to my computer.
I only use FF with No Script as my browser, except when dealing with MS.
I use Avast free instead of Defender. I am running Cybereason RansomFree, as well.
 
Thanks to all involved.
 
Attached File  FRST.txt   58.01KB   5 downloads
Attached File  Addition.txt   28.98KB   2 downloads

Edited by hamluis, 01 June 2017 - 04:08 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 AM

Posted 06 June 2017 - 08:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Sorry for this delay. If you still need help please run the Farbar tool as an Administrator.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-05-2017
Ran by Mike (ATTENTION: The user is not administrator) on SALVATION (01-06-2017 12:18:36)
Running from C:\Users\Mike\Downloads
Loaded Profiles: Mike & Dr. Feelgood (Available Profiles: Mike & Dr. Feelgood & Guest)


PLease post the FRST log and let me know what issues other issues other than the new users, with this computer.

#3 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 06 June 2017 - 12:41 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-06-2017
Ran by Dr. Feelgood (administrator) on SALVATION (06-06-2017 09:55:26)
Running from C:\Users\Dr. Feelgood\Downloads
Loaded Profiles: Mike & Dr. Feelgood (Available Profiles: Mike & Dr. Feelgood & Guest)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\windows\System32\wlanext.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Broadcom Corporation.) C:\windows\System32\BtwRSupportService.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
(Cybereason) C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFreeServiceHost.exe
() C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerResearchParticipation\EPCP.exe
(Seiko Epson Corporation) C:\windows\System32\escsvc64.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Cybereason) C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFree.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
() C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Intel Corporation) C:\windows\System32\hkcmd.exe
(Intel Corporation) C:\windows\System32\igfxpers.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(cyberlink) C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\windows\System32\alg.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Cybereason) C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFree.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
() C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\windows\System32\igfxtray.exe
(Intel Corporation) C:\windows\System32\hkcmd.exe
(Intel Corporation) C:\windows\System32\igfxpers.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(SEIKO EPSON CORPORATION) C:\windows\System32\spool\drivers\x64\3\E_YATIRHE.EXE
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(cyberlink) C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Farbar) C:\Users\Dr. Feelgood\Downloads\FRST64(1).exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13353064 2011-11-14] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2538280 2010-12-22] (Synaptics Incorporated)
HKLM\...\Run: [Lenovo EE Boot Optimizer] => C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2012-03-02] (Lenovo)
HKLM\...\Run: [OnekeyStudio] => C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [789920 2012-03-02] (Lenovo)
HKLM\...\Run: [UpdatePRCShortCut] => C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-13] (CyberLink Corp.)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9769888 2012-03-02] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5908928 2012-03-02] (Lenovo(beijing) Limited)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [213824 2017-05-09] (AVAST Software)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)
HKLM-x32\...\Run: [BDRegion] => C:\Program Files (x86)\Cyberlink\Shared files\brs.exe [75048 2011-02-24] (cyberlink)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2010-07-26] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1087184 2016-01-20] (SEIKO EPSON CORPORATION)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-1486635349-3231517910-980370596-1000\...\Run: [Skype] => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
HKU\S-1-5-21-1486635349-3231517910-980370596-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7946656 2017-04-06] (SUPERAntiSpyware)
HKU\S-1-5-21-1486635349-3231517910-980370596-1018\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-1486635349-3231517910-980370596-1018\...\Run: [EPLTarget\P0000000000000000] => C:\windows\system32\spool\DRIVERS\x64\3\E_YATIRHE.EXE [417776 2014-11-13] (SEIKO EPSON CORPORATION)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-05-09] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-05-09] (AVAST Software)
ShellIconOverlayIdentifiers: [VeriFace Enc] -> {771C7324-DA80-49D3-8017-753B0AF60951} => C:\windows\system32\IcnOvrly.dll [2012-03-02] ()
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{5A4C4C5C-18F1-4E3B-A3ED-AEA649D8EFF0}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\S-1-5-21-1486635349-3231517910-980370596-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
HKU\S-1-5-21-1486635349-3231517910-980370596-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENN&bmod=LENN
HKU\S-1-5-21-1486635349-3231517910-980370596-1018\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
HKU\S-1-5-21-1486635349-3231517910-980370596-1018\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENN&bmod=LENN
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM -> OldSearch URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1486635349-3231517910-980370596-1000 -> OldSearch URL =
SearchScopes: HKU\S-1-5-21-1486635349-3231517910-980370596-1018 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1486635349-3231517910-980370596-1018 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1486635349-3231517910-980370596-1018 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LENN
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2017-04-04] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2017-04-04] (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKU\S-1-5-21-1486635349-3231517910-980370596-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF DefaultProfile: 260paz3a.default
FF ProfilePath: C:\Users\Dr. Feelgood\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default [2017-06-06]
FF Extension: (Avast SafePrice) - C:\Users\Dr. Feelgood\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default\Extensions\sp@avast.com.xpi [2017-06-06]
FF Extension: (Avast Online Security) - C:\Users\Dr. Feelgood\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default\Extensions\wrc@avast.com.xpi [2017-06-06]
FF Extension: (Follow-on Search Telemetry) - C:\Users\Dr. Feelgood\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default\features\{e3cfab2e-76a3-4e14-bcdd-93a5195e70b2}\followonsearch@mozilla.com.xpi [2017-06-06]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50906.0\npctrl.dll [2017-03-09] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50906.0\npctrl.dll [2017-03-09] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-09] (Microsoft Corporation)
FF Plugin-x32: @oberon-media.com/ONCAdapter -> C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.8\npapicomadapter.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-29] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-04] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-02-10] (SUPERAntiSpyware.com)
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7346208 2017-05-09] (AVAST Software s.r.o.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [263304 2017-05-09] (AVAST Software)
R2 BcmBtRSupport; C:\windows\system32\BtwRSupportService.exe [2253016 2013-10-02] (Broadcom Corporation.)
R2 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [956192 2011-02-15] (Broadcom Corporation.)
S2 CLKMSVC10_3A60B698; C:\Program Files (x86)\Lenovo\PowerDVD10\NavFilter\kmsvc.exe [241648 2011-02-24] (CyberLink)
R2 CybereasonRansomFree; C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFreeServiceHost.exe [19344 2017-05-07] (Cybereason)
R2 DirMngr; C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe [216576 2016-08-18] () [File not signed]
R2 EpsonCustomerResearchParticipation; C:\Program Files\EPSON\EpsonCustomerResearchParticipation\EPCP.exe [677376 2016-08-02] (SEIKO EPSON CORPORATION)
R2 EpsonScanSvc; C:\windows\system32\EscSvc64.exe [145224 2016-01-13] (Seiko Epson Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2014-01-08] ()
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3674864 2014-01-08] (Intel® Corporation)
S3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 aswbidsdriver; C:\windows\system32\drivers\aswbidsdrivera.sys [311808 2017-05-09] (AVAST Software s.r.o.)
R0 aswbidsh; C:\windows\system32\drivers\aswbidsha.sys [190256 2017-05-09] (AVAST Software s.r.o.)
R0 aswblog; C:\windows\system32\drivers\aswbloga.sys [334576 2017-05-09] (AVAST Software s.r.o.)
R0 aswbuniv; C:\windows\system32\drivers\aswbuniva.sys [49016 2017-05-09] (AVAST Software s.r.o.)
S3 aswHdsKe; C:\windows\system32\drivers\aswHdsKe.sys [82936 2017-01-08] (AVAST Software)
S3 aswHwid; C:\windows\system32\drivers\aswHwid.sys [38296 2017-05-09] (AVAST Software)
R1 aswKbd; C:\windows\system32\drivers\aswKbd.sys [32600 2017-05-09] (AVAST Software)
R2 aswMonFlt; C:\windows\system32\drivers\aswMonFlt.sys [128648 2017-05-09] (AVAST Software)
R1 aswRdr; C:\windows\system32\drivers\aswRdr2.sys [101152 2017-05-09] (AVAST Software)
R0 aswRvrt; C:\windows\system32\drivers\aswRvrt.sys [75704 2017-05-09] (AVAST Software)
R1 aswSnx; C:\windows\system32\drivers\aswSnx.sys [1007160 2017-05-09] (AVAST Software)
R1 aswSP; C:\windows\system32\drivers\aswSP.sys [569192 2017-05-09] (AVAST Software)
R2 aswStm; C:\windows\system32\drivers\aswStm.sys [158880 2017-05-12] (AVAST Software)
R0 aswVmm; C:\windows\system32\drivers\aswVmm.sys [339696 2017-05-09] (AVAST Software)
R3 bcbtums; C:\windows\System32\drivers\bcbtums.sys [170712 2013-10-02] (Broadcom Corporation.)
R1 ESProtectionDriver; C:\windows\system32\drivers\mbae64.sys [77376 2017-06-03] ()
R2 MBAMChameleon; C:\windows\system32\drivers\MBAMChameleon.sys [188312 2017-06-03] (Malwarebytes)
R3 MBAMFarflt; C:\windows\system32\drivers\farflt.sys [113592 2017-06-03] (Malwarebytes)
R3 MBAMProtection; C:\windows\system32\drivers\mbam.sys [44960 2017-06-03] (Malwarebytes)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [252832 2017-06-03] (Malwarebytes)
R3 MBAMWebProtection; C:\windows\system32\drivers\mwac.sys [84256 2017-06-06] (Malwarebytes)
R3 S6000KNT; C:\windows\System32\Drivers\S6000KNT.sys [3293272 2010-12-23] (Windows ® Win 7 DDK provider)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 veracrypt; C:\windows\System32\drivers\veracrypt.sys [192344 2015-05-16] (IDRIX)
U2 CLKMSVC10_C3B3B687; no ImagePath
U2 DriverService; no ImagePath
U2 IAStorDataMgrSvc; no ImagePath
U2 idealife Update Service; no ImagePath
U3 IGRS; no ImagePath
U2 IviRegMgr; no ImagePath
U2 nvUpdatusService; no ImagePath
U2 Oasis2Service; no ImagePath
U2 PCCarerServic; no ImagePath
U2 ReadyComm.DirectRouter; no ImagePath
U2 RichVideo; no ImagePath
U2 RtLedService; no ImagePath
U2 SoftwareService; no ImagePath
U2 Stereo Service; no ImagePath
S2 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-06 09:55 - 2017-06-06 09:55 - 00019466 _____ C:\Users\Dr. Feelgood\Downloads\FRST.txt
2017-06-06 09:52 - 2017-06-06 09:52 - 02433536 _____ (Farbar) C:\Users\Dr. Feelgood\Downloads\FRST64(1).exe
2017-06-06 09:43 - 2017-06-06 09:43 - 00000000 __SHD C:\Users\Dr. Feelgood\Desktop\ This folder protects against Ransomware. Just leave it here
2017-06-06 09:43 - 2017-06-06 09:43 - 00000000 ___HD C:\Users\Dr. Feelgood\Documents\Ndate34
2017-06-06 09:43 - 2017-06-06 09:43 - 00000000 ___HD C:\Users\Dr. Feelgood\Documents\Llogs221
2017-06-06 09:42 - 2017-06-06 09:42 - 00000095 _____ C:\Users\Mike\Desktop\New Text Document.txt
2017-06-05 21:46 - 2017-06-05 21:46 - 00526816 _____ C:\Users\Quxei\sincefactionsweep.xlsx
2017-06-05 21:46 - 2017-06-05 21:46 - 00522492 _____ C:\Users\Akstp\development_self_appraise_imitate.xlsx
2017-06-05 21:46 - 2017-06-05 21:46 - 00230263 _____ C:\Users\Akstp\biggest.offered.mdb
2017-06-05 21:46 - 2017-06-05 21:46 - 00229907 _____ C:\Users\Quxei\LB6Mhlhrj.mdb
2017-06-05 21:46 - 2017-06-05 21:46 - 00077125 _____ C:\Users\Akstp\profound_mill.xls
2017-06-05 21:46 - 2017-06-05 21:46 - 00073489 _____ C:\Users\Quxei\bVQBbCt.xls
2017-06-05 21:46 - 2017-06-05 21:46 - 00059035 _____ C:\Users\Akstp\gpZyf2.pem
2017-06-05 21:46 - 2017-06-05 21:46 - 00058364 _____ C:\Users\Quxei\stresses-vast-islands-gradual.pem
2017-06-05 21:46 - 2017-06-05 21:46 - 00031898 _____ C:\Users\Akstp\push-tuesday-razor.txt
2017-06-05 21:46 - 2017-06-05 21:46 - 00016544 _____ C:\Users\Quxei\fence.resolved.owners.sql
2017-06-05 21:46 - 2017-06-05 21:46 - 00013908 _____ C:\Users\Quxei\t0Q.txt
2017-06-05 21:46 - 2017-06-05 21:46 - 00012215 _____ C:\Users\Akstp\runsglanceindiaenthusiastic.sql
2017-06-05 21:46 - 2017-06-05 21:46 - 00000000 __SHD C:\Users\Mike\Desktop\ This folder protects against Ransomware. Just leave it here
2017-06-05 21:46 - 2017-06-05 21:46 - 00000000 ___HD C:\Users\Quxei
2017-06-05 21:46 - 2017-06-05 21:46 - 00000000 ___HD C:\Users\Mike\Documents\Zvalue173
2017-06-05 21:46 - 2017-06-05 21:46 - 00000000 ___HD C:\Users\Mike\Documents\Adata171
2017-06-05 21:46 - 2017-06-05 21:46 - 00000000 ___HD C:\Users\Akstp
2017-06-05 21:46 - 2017-06-05 21:46 - 00000000 ____D C:\xsettingsettings73
2017-06-05 21:46 - 2017-06-05 21:46 - 00000000 ____D C:\Accaches123
2017-06-01 12:36 - 2017-06-06 09:46 - 00000000 ____D C:\Users\Dr. Feelgood\AppData\LocalLow\Mozilla
2017-06-01 12:32 - 2017-06-01 12:32 - 00061638 _____ C:\Users\Mike\Desktop\FRST.txt
2017-06-01 12:32 - 2017-06-01 12:32 - 00036839 _____ C:\Users\Mike\Desktop\Addition.txt
2017-06-01 12:19 - 2017-06-01 12:19 - 00029674 _____ C:\Users\Mike\Downloads\Addition.txt
2017-06-01 12:18 - 2017-06-06 09:55 - 00000000 ____D C:\FRST
2017-06-01 12:18 - 2017-06-01 12:19 - 00059401 _____ C:\Users\Mike\Downloads\FRST.txt
2017-06-01 12:13 - 2017-06-01 12:13 - 02431488 _____ (Farbar) C:\Users\Dr. Feelgood\Downloads\FRST64.exe
2017-05-28 22:04 - 2017-05-28 22:06 - 00000000 ____D C:\Users\Mike\Desktop\Tools
2017-05-28 21:39 - 2017-05-28 21:48 - 00000000 ____D C:\AdwCleaner
2017-05-28 21:33 - 2017-05-28 21:55 - 00001838 _____ C:\Users\Mike\Desktop\ADWCleanCO.txt
2017-05-28 21:24 - 2017-05-28 21:51 - 00002010 _____ C:\Users\Mike\Desktop\AdwCleanSO.txt
2017-05-28 21:19 - 2017-05-28 21:19 - 00000009 _____ C:\Users\Mike\Desktop\TDSKill.txt
2017-05-28 21:16 - 2017-05-28 21:19 - 00443724 _____ C:\TDSSKiller.3.1.0.15_28.05.2017_21.16.12_log.txt
2017-05-28 21:09 - 2017-05-28 21:10 - 00000009 _____ C:\Users\Mike\Desktop\MBAR.txt
2017-05-28 21:09 - 2017-05-28 21:09 - 00000009 _____ C:\Users\Mike\Desktop\No Issues.txt
2017-05-28 21:08 - 2017-05-28 21:10 - 00000009 _____ C:\Users\Mike\Desktop\MB3.txt
2017-05-28 20:27 - 2017-06-06 07:19 - 00084256 _____ (Malwarebytes) C:\windows\system32\Drivers\mwac.sys
2017-05-28 20:27 - 2017-06-03 09:13 - 00252832 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2017-05-28 20:27 - 2017-06-03 09:13 - 00188312 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMChameleon.sys
2017-05-28 20:27 - 2017-06-03 09:13 - 00113592 _____ (Malwarebytes) C:\windows\system32\Drivers\farflt.sys
2017-05-28 20:27 - 2017-06-03 09:13 - 00077376 _____ C:\windows\system32\Drivers\mbae64.sys
2017-05-28 20:27 - 2017-06-03 09:13 - 00044960 _____ (Malwarebytes) C:\windows\system32\Drivers\mbam.sys
2017-05-28 20:27 - 2017-05-28 20:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-05-28 20:27 - 2017-05-28 20:27 - 00000000 ____D C:\Program Files\Malwarebytes
2017-05-28 20:22 - 2017-05-28 20:25 - 00002436 _____ C:\Users\Dr. Feelgood\Desktop\Rkill.txt
2017-05-28 20:18 - 2017-05-28 20:18 - 00030287 _____ C:\Users\Mike\Desktop\MTB.txt
2017-05-28 20:17 - 2017-05-28 20:17 - 00030295 _____ C:\Users\Mike\Downloads\MTB.txt
2017-05-28 20:17 - 2017-05-28 20:17 - 00030295 _____ C:\Users\Dr. Feelgood\Desktop\MTB.txt
2017-05-28 19:45 - 2017-05-28 20:13 - 00000000 ____D C:\Users\Dr. Feelgood\Desktop\mbar
2017-05-28 19:43 - 2017-05-28 19:43 - 00003242 _____ C:\Users\Mike\Desktop\FSS.txt
2017-05-28 19:42 - 2017-05-28 19:42 - 00003242 _____ C:\Users\Mike\Downloads\FSS.txt
2017-05-28 19:41 - 2017-05-28 20:25 - 00001217 _____ C:\Users\Mike\Desktop\Rkill.txt
2017-05-28 19:41 - 2017-05-28 19:41 - 00000757 _____ C:\Users\Mike\Desktop\checkup.txt
2017-05-28 19:37 - 2017-05-28 19:37 - 00000757 _____ C:\Users\Dr. Feelgood\Desktop\results.txt
2017-05-28 19:36 - 2017-05-28 19:36 - 00000757 _____ C:\Users\Dr. Feelgood\Desktop\checkup.txt
2017-05-28 19:33 - 2017-05-28 19:33 - 00000757 _____ C:\Users\Dr. Feelgood\Downloads\checkup.txt
2017-05-28 19:29 - 2017-05-28 19:30 - 00000757 _____ C:\Users\Dr. Feelgood\Documents\checkup.txt
2017-05-28 18:50 - 2017-05-28 18:50 - 00000000 ____D C:\Users\Dr. Feelgood\AppData\Roaming\StreamTorrent
2017-05-28 18:49 - 2017-05-28 18:51 - 00000000 ____D C:\Users\Dr. Feelgood\AppData\Roaming\uTorrent
2017-05-28 12:12 - 2017-06-01 12:13 - 00003894 _____ C:\windows\System32\Tasks\SafeZone scheduled Autoupdate 1467713979
2017-05-28 12:10 - 2017-05-09 16:04 - 00400456 _____ (AVAST Software) C:\windows\system32\aswBoot.exe
2017-05-27 17:53 - 2017-05-28 12:01 - 00000000 ____D C:\Users\Dr. Feelgood\AppData\Local\Runscanner.net
2017-05-10 11:54 - 2017-05-28 21:45 - 00000022 _____ C:\windows\S.dirmngr
2017-05-10 11:04 - 2017-05-10 11:05 - 40502136 _____ (Mozilla) C:\Users\Mike\Downloads\Thunderbird Setup 52.1.0.exe
2017-05-10 09:35 - 2017-04-27 18:14 - 05547240 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2017-05-10 09:35 - 2017-04-27 18:14 - 00706792 _____ (Microsoft Corporation) C:\windows\system32\winload.efi
2017-05-10 09:35 - 2017-04-27 18:14 - 00631176 _____ (Microsoft Corporation) C:\windows\system32\winresume.efi
2017-05-10 09:35 - 2017-04-27 18:14 - 00154856 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2017-05-10 09:35 - 2017-04-27 18:14 - 00095464 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecdd.sys
2017-05-10 09:35 - 2017-04-27 18:11 - 01732864 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 01460736 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 01212928 _____ (Microsoft Corporation) C:\windows\system32\rpcrt4.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 01163264 _____ (Microsoft Corporation) C:\windows\system32\kernel32.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00730624 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00419840 _____ (Microsoft Corporation) C:\windows\system32\KernelBase.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00362496 _____ (Microsoft Corporation) C:\windows\system32\wow64win.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00345600 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00316928 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00312320 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00243712 _____ (Microsoft Corporation) C:\windows\system32\wow64.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00215552 _____ (Microsoft Corporation) C:\windows\system32\winsrv.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00210432 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00190464 _____ (Microsoft Corporation) C:\windows\system32\rpchttp.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00146432 _____ (Microsoft Corporation) C:\windows\system32\msaudite.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00135680 _____ (Microsoft Corporation) C:\windows\system32\sspicli.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00063488 _____ (Microsoft Corporation) C:\windows\system32\setbcdlocale.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00060416 _____ (Microsoft Corporation) C:\windows\system32\msobjs.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00028672 _____ (Microsoft Corporation) C:\windows\system32\sspisrv.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00028160 _____ (Microsoft Corporation) C:\windows\system32\secur32.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00016384 _____ (Microsoft Corporation) C:\windows\system32\ntvdm64.dll
2017-05-10 09:35 - 2017-04-27 18:10 - 00013312 _____ (Microsoft Corporation) C:\windows\system32\wow64cpu.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00880640 _____ (Microsoft Corporation) C:\windows\system32\advapi32.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00690688 _____ (Microsoft Corporation) C:\windows\system32\adtschema.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00463872 _____ (Microsoft Corporation) C:\windows\system32\certcli.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00123904 _____ (Microsoft Corporation) C:\windows\system32\bcrypt.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00059904 _____ (Microsoft Corporation) C:\windows\system32\appidapi.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00044032 _____ (Microsoft Corporation) C:\windows\system32\csrsrv.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00043520 _____ (Microsoft Corporation) C:\windows\system32\cryptbase.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00034816 _____ (Microsoft Corporation) C:\windows\system32\appidsvc.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00006656 _____ (Microsoft Corporation) C:\windows\system32\apisetschema.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00006144 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00005120 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 18:09 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:36 - 04000488 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2017-05-10 09:35 - 2017-04-27 17:36 - 03945192 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2017-05-10 09:35 - 2017-04-27 17:34 - 01314112 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 01114112 _____ (Microsoft Corporation) C:\windows\SysWOW64\kernel32.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\adtschema.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00666112 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpcrt4.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00644096 _____ (Microsoft Corporation) C:\windows\SysWOW64\advapi32.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00553472 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00342528 _____ (Microsoft Corporation) C:\windows\SysWOW64\certcli.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00275456 _____ (Microsoft Corporation) C:\windows\SysWOW64\KernelBase.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00261120 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00254464 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00223232 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00172032 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00146432 _____ (Microsoft Corporation) C:\windows\SysWOW64\msaudite.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00141312 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpchttp.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00082944 _____ (Microsoft Corporation) C:\windows\SysWOW64\bcrypt.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\msobjs.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00050688 _____ (Microsoft Corporation) C:\windows\SysWOW64\appidapi.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00006656 _____ (Microsoft Corporation) C:\windows\SysWOW64\apisetschema.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00005120 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00005120 _____ (Microsoft Corporation) C:\windows\SysWOW64\wow32.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:32 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:19 - 00148480 _____ (Microsoft Corporation) C:\windows\system32\appidpolicyconverter.exe
2017-05-10 09:35 - 2017-04-27 17:19 - 00062464 _____ (Microsoft Corporation) C:\windows\system32\Drivers\appid.sys
2017-05-10 09:35 - 2017-04-27 17:19 - 00017920 _____ (Microsoft Corporation) C:\windows\system32\appidcertstorecheck.exe
2017-05-10 09:35 - 2017-04-27 17:18 - 00064000 _____ (Microsoft Corporation) C:\windows\system32\auditpol.exe
2017-05-10 09:35 - 2017-04-27 17:15 - 00338432 _____ (Microsoft Corporation) C:\windows\system32\conhost.exe
2017-05-10 09:35 - 2017-04-27 17:14 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2017-05-10 09:35 - 2017-04-27 17:12 - 00159744 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb.sys
2017-05-10 09:35 - 2017-04-27 17:11 - 00291328 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb10.sys
2017-05-10 09:35 - 2017-04-27 17:11 - 00129536 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb20.sys
2017-05-10 09:35 - 2017-04-27 17:11 - 00050176 _____ (Microsoft Corporation) C:\windows\SysWOW64\auditpol.exe
2017-05-10 09:35 - 2017-04-27 17:10 - 00112640 _____ (Microsoft Corporation) C:\windows\system32\smss.exe
2017-05-10 09:35 - 2017-04-27 17:10 - 00030720 _____ (Microsoft Corporation) C:\windows\system32\lsass.exe
2017-05-10 09:35 - 2017-04-27 17:08 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\setup16.exe
2017-05-10 09:35 - 2017-04-27 17:08 - 00014336 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntvdm64.dll
2017-05-10 09:35 - 2017-04-27 17:08 - 00007680 _____ (Microsoft Corporation) C:\windows\SysWOW64\instnm.exe
2017-05-10 09:35 - 2017-04-27 17:08 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\user.exe
2017-05-10 09:35 - 2017-04-27 17:07 - 00036352 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptbase.dll
2017-05-10 09:35 - 2017-04-27 17:07 - 00006144 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:07 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:07 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2017-05-10 09:35 - 2017-04-27 17:07 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2017-05-10 09:35 - 2017-04-26 07:59 - 03220992 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2017-05-10 09:35 - 2017-04-21 08:34 - 01133568 _____ (Microsoft Corporation) C:\windows\system32\cdosys.dll
2017-05-10 09:35 - 2017-04-21 08:15 - 00805376 _____ (Microsoft Corporation) C:\windows\SysWOW64\cdosys.dll
2017-05-10 09:35 - 2017-04-19 17:00 - 00394448 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2017-05-10 09:35 - 2017-04-19 16:16 - 00346320 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2017-05-10 09:35 - 2017-04-17 08:37 - 02065408 _____ (Microsoft Corporation) C:\windows\system32\ole32.dll
2017-05-10 09:35 - 2017-04-17 08:37 - 00876544 _____ (Microsoft Corporation) C:\windows\system32\oleaut32.dll
2017-05-10 09:35 - 2017-04-17 08:37 - 00512000 _____ (Microsoft Corporation) C:\windows\system32\rpcss.dll
2017-05-10 09:35 - 2017-04-17 08:37 - 00026112 _____ (Microsoft Corporation) C:\windows\system32\oleres.dll
2017-05-10 09:35 - 2017-04-17 08:37 - 00008704 _____ (Microsoft Corporation) C:\windows\system32\comcat.dll
2017-05-10 09:35 - 2017-04-17 08:12 - 01417728 _____ (Microsoft Corporation) C:\windows\SysWOW64\ole32.dll
2017-05-10 09:35 - 2017-04-17 08:12 - 00581632 _____ (Microsoft Corporation) C:\windows\SysWOW64\oleaut32.dll
2017-05-10 09:35 - 2017-04-17 08:12 - 00026112 _____ (Microsoft Corporation) C:\windows\SysWOW64\oleres.dll
2017-05-10 09:35 - 2017-04-17 07:54 - 00007168 _____ (Microsoft Corporation) C:\windows\SysWOW64\comcat.dll
2017-05-10 09:35 - 2017-04-16 02:17 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2017-05-10 09:35 - 2017-04-16 02:16 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2017-05-10 09:35 - 2017-04-16 01:57 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2017-05-10 09:35 - 2017-04-16 01:55 - 00417792 _____ (Microsoft Corporation) C:\windows\system32\html.iec
2017-05-10 09:35 - 2017-04-16 01:55 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2017-05-10 09:35 - 2017-04-16 01:54 - 00576512 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2017-05-10 09:35 - 2017-04-16 01:54 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2017-05-10 09:35 - 2017-04-16 01:51 - 02899456 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2017-05-10 09:35 - 2017-04-16 01:44 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2017-05-10 09:35 - 2017-04-16 01:43 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2017-05-10 09:35 - 2017-04-16 01:38 - 00615936 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2017-05-10 09:35 - 2017-04-16 01:37 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2017-05-10 09:35 - 2017-04-16 01:37 - 00116224 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2017-05-10 09:35 - 2017-04-16 01:36 - 00817664 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2017-05-10 09:35 - 2017-04-16 01:36 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2017-05-10 09:35 - 2017-04-16 01:35 - 25741312 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2017-05-10 09:35 - 2017-04-16 01:25 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2017-05-10 09:35 - 2017-04-16 01:21 - 00489984 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2017-05-10 09:35 - 2017-04-16 01:19 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2017-05-10 09:35 - 2017-04-16 01:18 - 05977600 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2017-05-10 09:35 - 2017-04-16 01:11 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2017-05-10 09:35 - 2017-04-16 01:10 - 00087552 _____ (Microsoft Corporation) C:\windows\system32\tdc.ocx
2017-05-10 09:35 - 2017-04-16 01:09 - 00107520 _____ (Microsoft Corporation) C:\windows\system32\inseng.dll
2017-05-10 09:35 - 2017-04-16 01:04 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2017-05-10 09:35 - 2017-04-16 01:03 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2017-05-10 09:35 - 2017-04-16 01:02 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2017-05-10 09:35 - 2017-04-16 01:01 - 00499200 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2017-05-10 09:35 - 2017-04-16 01:01 - 00341504 _____ (Microsoft Corporation) C:\windows\SysWOW64\html.iec
2017-05-10 09:35 - 2017-04-16 01:01 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2017-05-10 09:35 - 2017-04-16 01:00 - 00315392 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2017-05-10 09:35 - 2017-04-16 01:00 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2017-05-10 09:35 - 2017-04-16 00:57 - 00152064 _____ (Microsoft Corporation) C:\windows\system32\occache.dll
2017-05-10 09:35 - 2017-04-16 00:53 - 02290176 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2017-05-10 09:35 - 2017-04-16 00:52 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2017-05-10 09:35 - 2017-04-16 00:52 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2017-05-10 09:35 - 2017-04-16 00:49 - 20278272 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2017-05-10 09:35 - 2017-04-16 00:48 - 00476160 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2017-05-10 09:35 - 2017-04-16 00:47 - 00663552 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2017-05-10 09:35 - 2017-04-16 00:47 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2017-05-10 09:35 - 2017-04-16 00:46 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2017-05-10 09:35 - 2017-04-16 00:43 - 00262144 _____ (Microsoft Corporation) C:\windows\system32\webcheck.dll
2017-05-10 09:35 - 2017-04-16 00:40 - 00806912 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2017-05-10 09:35 - 2017-04-16 00:40 - 00725504 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2017-05-10 09:35 - 2017-04-16 00:37 - 02132992 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2017-05-10 09:35 - 2017-04-16 00:37 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2017-05-10 09:35 - 2017-04-16 00:35 - 00416256 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2017-05-10 09:35 - 2017-04-16 00:30 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2017-05-10 09:35 - 2017-04-16 00:29 - 00073216 _____ (Microsoft Corporation) C:\windows\SysWOW64\tdc.ocx
2017-05-10 09:35 - 2017-04-16 00:28 - 00091136 _____ (Microsoft Corporation) C:\windows\SysWOW64\inseng.dll
2017-05-10 09:35 - 2017-04-16 00:25 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2017-05-10 09:35 - 2017-04-16 00:24 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2017-05-10 09:35 - 2017-04-16 00:22 - 00279040 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2017-05-10 09:35 - 2017-04-16 00:20 - 00130048 _____ (Microsoft Corporation) C:\windows\SysWOW64\occache.dll
2017-05-10 09:35 - 2017-04-16 00:12 - 00230400 _____ (Microsoft Corporation) C:\windows\SysWOW64\webcheck.dll
2017-05-10 09:35 - 2017-04-16 00:10 - 15250944 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2017-05-10 09:35 - 2017-04-16 00:10 - 00693248 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2017-05-10 09:35 - 2017-04-16 00:08 - 04548608 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2017-05-10 09:35 - 2017-04-16 00:08 - 02057216 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2017-05-10 09:35 - 2017-04-16 00:08 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2017-05-10 09:35 - 2017-04-16 00:04 - 03241472 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2017-05-10 09:35 - 2017-04-15 23:53 - 13661184 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2017-05-10 09:35 - 2017-04-15 23:50 - 01544704 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2017-05-10 09:35 - 2017-04-15 23:40 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2017-05-10 09:35 - 2017-04-15 23:37 - 02767872 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2017-05-10 09:35 - 2017-04-15 23:34 - 01314816 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2017-05-10 09:35 - 2017-04-15 23:34 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2017-05-10 09:35 - 2017-04-12 08:32 - 01483776 _____ (Microsoft Corporation) C:\windows\system32\crypt32.dll
2017-05-10 09:35 - 2017-04-12 08:32 - 00229376 _____ (Microsoft Corporation) C:\windows\system32\wintrust.dll
2017-05-10 09:35 - 2017-04-12 08:32 - 00190976 _____ (Microsoft Corporation) C:\windows\system32\cryptsvc.dll
2017-05-10 09:35 - 2017-04-12 08:32 - 00141824 _____ (Microsoft Corporation) C:\windows\system32\cryptnet.dll
2017-05-10 09:35 - 2017-04-12 08:26 - 00179200 _____ (Microsoft Corporation) C:\windows\SysWOW64\wintrust.dll
2017-05-10 09:35 - 2017-04-12 08:25 - 01176064 _____ (Microsoft Corporation) C:\windows\SysWOW64\crypt32.dll
2017-05-10 09:35 - 2017-04-12 08:25 - 00145920 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptsvc.dll
2017-05-10 09:35 - 2017-04-12 08:25 - 00106496 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptnet.dll
2017-05-10 09:35 - 2017-04-07 08:34 - 00986856 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgkrnl.sys
2017-05-10 09:35 - 2017-04-07 08:34 - 00265448 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgmms1.sys
2017-05-10 09:35 - 2017-04-07 08:30 - 00405504 _____ (Microsoft Corporation) C:\windows\system32\gdi32.dll
2017-05-10 09:35 - 2017-04-07 08:30 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\cdd.dll
2017-05-10 09:35 - 2017-04-07 08:22 - 00312832 _____ (Microsoft Corporation) C:\windows\SysWOW64\gdi32.dll
2017-05-10 09:35 - 2017-04-05 07:55 - 00460800 _____ (Microsoft Corporation) C:\windows\system32\Drivers\srv.sys
2017-05-10 09:35 - 2017-04-05 07:55 - 00405504 _____ (Microsoft Corporation) C:\windows\system32\Drivers\srv2.sys
2017-05-10 09:35 - 2017-04-05 07:55 - 00168960 _____ (Microsoft Corporation) C:\windows\system32\Drivers\srvnet.sys
2017-05-10 09:35 - 2017-04-04 08:34 - 01895656 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tcpip.sys
2017-05-10 09:35 - 2017-04-04 08:34 - 00377576 _____ (Microsoft Corporation) C:\windows\system32\Drivers\netio.sys
2017-05-10 09:35 - 2017-04-04 08:34 - 00287976 _____ (Microsoft Corporation) C:\windows\system32\Drivers\FWPKCLNT.SYS
2017-05-10 09:35 - 2017-04-04 07:53 - 00496128 _____ (Microsoft Corporation) C:\windows\system32\Drivers\afd.sys
2017-05-10 09:35 - 2017-04-04 07:53 - 00117760 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tdx.sys
2017-05-10 09:35 - 2017-03-10 09:32 - 01389056 _____ (Microsoft Corporation) C:\windows\system32\pla.dll
2017-05-10 09:35 - 2017-03-10 09:32 - 00300544 _____ (Microsoft Corporation) C:\windows\system32\pdh.dll
2017-05-10 09:35 - 2017-03-10 09:20 - 01508352 _____ (Microsoft Corporation) C:\windows\SysWOW64\pla.dll
2017-05-10 09:35 - 2017-03-10 09:20 - 00237056 _____ (Microsoft Corporation) C:\windows\SysWOW64\pdh.dll
2017-05-10 09:35 - 2017-03-10 08:57 - 00009216 _____ (Microsoft Corporation) C:\windows\system32\plasrv.exe
2017-05-10 09:35 - 2017-03-10 08:55 - 00205312 _____ (Microsoft Corporation) C:\windows\system32\Drivers\fastfat.sys
2017-05-10 09:35 - 2017-03-10 08:55 - 00195584 _____ (Microsoft Corporation) C:\windows\system32\Drivers\exfat.sys
2017-05-10 09:35 - 2017-03-09 09:34 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll
2017-05-10 09:35 - 2017-03-09 09:19 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll
2017-05-07 07:07 - 2017-05-07 07:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cybereason RansomFree

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-06 09:43 - 2013-04-06 19:41 - 00000437 _____ C:\windows\system32\Drivers\etc\hosts.ics
2017-06-06 09:41 - 2017-01-19 19:41 - 00000911 _____ C:\windows\Tasks\EPSON XP-640 Series Update {0DE57EA7-7786-46F5-B9B8-CA35346DBE4C}.job
2017-06-06 07:26 - 2009-07-13 21:45 - 00028928 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-06-06 07:26 - 2009-07-13 21:45 - 00028928 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-06-04 12:47 - 2016-05-26 21:58 - 00000000 ____D C:\Users\Dr. Feelgood\AppData\Local\ElevatedDiagnostics
2017-06-04 09:44 - 2017-03-10 08:21 - 00004172 _____ C:\windows\System32\Tasks\Avast Emergency Update
2017-06-02 12:46 - 2015-02-01 15:27 - 00215048 _____ C:\Users\Mike\Downloads\Biscuits.txt
2017-06-01 13:41 - 2016-11-16 11:19 - 00000000 ____D C:\Users\Mike\AppData\LocalLow\Mozilla
2017-06-01 12:27 - 2012-03-02 15:50 - 00461715 _____ C:\windows\system32\fastboot.set
2017-05-28 21:51 - 2009-07-13 22:13 - 00783464 _____ C:\windows\system32\PerfStringBackup.INI
2017-05-28 21:51 - 2009-07-13 20:20 - 00000000 ____D C:\windows\inf
2017-05-28 21:45 - 2009-07-13 22:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2017-05-28 21:44 - 2017-02-04 15:57 - 00000000 ____D C:\Program Files\Mozilla Firefox
2017-05-28 21:44 - 2012-08-31 15:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-05-28 20:27 - 2012-08-14 13:24 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-05-28 20:14 - 2014-01-23 14:32 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-05-28 18:48 - 2013-03-15 00:15 - 00000000 ____D C:\Users\Mike\AppData\Roaming\uTorrent
2017-05-28 12:12 - 2017-01-08 20:16 - 00001882 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2017-05-28 12:11 - 2012-08-13 15:02 - 00000000 ____D C:\Users\Mike
2017-05-28 12:07 - 2015-07-30 18:07 - 00000000 ____D C:\Users\Dr. Feelgood
2017-05-28 12:03 - 2015-12-03 15:00 - 00000000 ____D C:\windows\System32\Tasks\AVAST Software
2017-05-28 12:03 - 2015-08-30 23:42 - 00000000 ___HD C:\windows\system32\WLANProfiles
2017-05-28 12:03 - 2012-08-13 16:41 - 00000000 ____D C:\Users\Guest
2017-05-28 12:03 - 2009-07-13 20:20 - 00000000 ____D C:\windows\rescache
2017-05-28 12:03 - 2009-07-13 20:20 - 00000000 ____D C:\windows\PolicyDefinitions
2017-05-28 12:01 - 2017-01-21 20:39 - 00000000 ____D C:\Program Files (x86)\Design&Print
2017-05-28 12:01 - 2017-01-19 19:16 - 00000000 ____D C:\Users\Dr. Feelgood\AppData\Local\Cybereason
2017-05-28 12:01 - 2015-07-30 18:07 - 00000000 ____D C:\Users\Dr. Feelgood\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-05-28 12:01 - 2012-08-14 09:51 - 00000000 ____D C:\Users\Mike\AppData\Roaming\IrfanView
2017-05-28 12:01 - 2012-08-13 15:02 - 00000000 ____D C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-05-28 11:59 - 2009-07-13 20:20 - 00000000 ____D C:\windows\registration
2017-05-28 11:55 - 2017-02-02 09:47 - 00000000 ____D C:\Users\Dr. Feelgood\AppData\Roaming\Epson
2017-05-28 11:55 - 2015-11-10 14:58 - 00000000 ____D C:\Users\Dr. Feelgood\AppData\Local\Mozilla
2017-05-28 11:55 - 2015-08-31 13:51 - 00000000 ____D C:\Users\Dr. Feelgood\AppData\Roaming\Mozilla
2017-05-28 11:55 - 2015-08-05 12:35 - 00000000 ____D C:\Users\Dr. Feelgood\AppData\Local\Microsoft Games
2017-05-28 11:55 - 2015-07-30 18:07 - 00000000 ____D C:\Users\Dr. Feelgood\AppData\Roaming\Intel
2017-05-24 14:18 - 2016-02-13 20:29 - 00002314 _____ C:\Users\Mike\Desktop\Stuff.txt
2017-05-12 16:05 - 2014-01-23 12:24 - 00158880 _____ (AVAST Software) C:\windows\system32\Drivers\aswStm.sys
2017-05-10 11:53 - 2009-07-13 21:45 - 00263672 _____ C:\windows\system32\FNTCACHE.DAT
2017-05-10 09:45 - 2012-12-20 12:32 - 00776078 _____ C:\windows\SysWOW64\PerfStringBackup.INI
2017-05-10 09:42 - 2013-08-15 06:39 - 00000000 ____D C:\windows\system32\MRT
2017-05-10 09:38 - 2012-08-14 12:08 - 156335152 ____C (Microsoft Corporation) C:\windows\system32\MRT.exe
2017-05-09 16:04 - 2017-03-10 08:21 - 00334576 _____ (AVAST Software s.r.o.) C:\windows\system32\Drivers\aswbloga.sys
2017-05-09 16:04 - 2017-03-10 08:21 - 00311808 _____ (AVAST Software s.r.o.) C:\windows\system32\Drivers\aswbidsdrivera.sys
2017-05-09 16:04 - 2017-03-10 08:21 - 00190256 _____ (AVAST Software s.r.o.) C:\windows\system32\Drivers\aswbidsha.sys
2017-05-09 16:04 - 2017-03-10 08:21 - 00049016 _____ (AVAST Software s.r.o.) C:\windows\system32\Drivers\aswbuniva.sys
2017-05-09 16:04 - 2016-06-17 11:52 - 00032600 _____ (AVAST Software) C:\windows\system32\Drivers\aswKbd.sys
2017-05-09 16:04 - 2014-04-17 18:14 - 00038296 _____ (AVAST Software) C:\windows\system32\Drivers\aswHwid.sys
2017-05-09 16:04 - 2013-03-05 10:11 - 00339696 _____ (AVAST Software) C:\windows\system32\Drivers\aswVmm.sys
2017-05-09 16:04 - 2013-03-05 10:11 - 00075704 _____ (AVAST Software) C:\windows\system32\Drivers\aswRvrt.sys
2017-05-09 16:04 - 2012-08-14 11:58 - 01007160 _____ (AVAST Software) C:\windows\system32\Drivers\aswSnx.sys
2017-05-09 16:04 - 2012-08-14 11:58 - 00569192 _____ (AVAST Software) C:\windows\system32\Drivers\aswSP.sys
2017-05-09 16:04 - 2012-08-14 11:58 - 00128648 _____ (AVAST Software) C:\windows\system32\Drivers\aswMonFlt.sys
2017-05-09 16:04 - 2012-08-14 11:58 - 00101152 _____ (AVAST Software) C:\windows\system32\Drivers\aswRdr2.sys
2017-05-07 07:07 - 2016-12-19 12:15 - 00003992 _____ C:\windows\System32\Tasks\Cybereason RansomFree Keepalive
2017-05-07 07:07 - 2016-12-19 12:15 - 00003098 _____ C:\windows\System32\Tasks\Cybereason RansomFree Autostart

==================== Files in the root of some directories =======

2015-10-21 13:10 - 2015-10-21 13:10 - 0007639 _____ () C:\Users\Dr. Feelgood\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-06-02 13:34

==================== End of FRST.txt ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-06-2017
Ran by Dr. Feelgood (06-06-2017 09:55:59)
Running from C:\Users\Dr. Feelgood\Downloads
Windows 7 Home Premium Service Pack 1 (X64) (2012-08-13 22:02:49)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1486635349-3231517910-980370596-500 - Administrator - Disabled)
Dr. Feelgood (S-1-5-21-1486635349-3231517910-980370596-1018 - Administrator - Enabled) => C:\Users\Dr. Feelgood
Guest (S-1-5-21-1486635349-3231517910-980370596-501 - Limited - Disabled) => C:\Users\Guest
HomeGroupUser$ (S-1-5-21-1486635349-3231517910-980370596-1002 - Limited - Enabled)
Mike (S-1-5-21-1486635349-3231517910-980370596-1000 - Limited - Enabled) => C:\Users\Mike

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-1486635349-3231517910-980370596-1000\...\uTorrent) (Version: 3.4.1.30768 - BitTorrent Inc.)
7-Zip 16.04 (x64 edition) (HKLM\...\{23170F69-40C1-2702-1604-000001000000}) (Version: 16.04.00.0 - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.009.20044 - Adobe Systems Incorporated)
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 17.4.2294 - AVAST Software)
Avery Design & Print (HKLM-x32\...\Avery Design & Print 3.0.2) (Version: 3.0.2 - Avery Products Corporation)
calibre 64bit (HKLM\...\{2C5BEB65-2CCC-4A28-99EA-12667FD185BA}) (Version: 1.32.0 - Kovid Goyal)
CCleaner (HKLM\...\CCleaner) (Version: 5.08 - Piriform)
Cybereason RansomFree 2.2.7.0 (HKLM-x32\...\{4270E670-6048-45D1-8735-BF55FD0CC07C}) (Version: 2.2.7.0 - Cybereason Inc.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Easy Photo Scan (HKLM-x32\...\{250F80AF-F5EA-4E42-BB64-5D8014C7C538}) (Version: 1.00.0007 - Seiko Epson Corporation)
Energy Management (HKLM-x32\...\InstallShield_{D0956C11-0F60-43FE-99AD-524E833471BB}) (Version: 6.0.2.1 - Lenovo)
Energy Management (x32 Version: 6.0.2.1 - Lenovo) Hidden
Epson Customer Research Participation (HKLM\...\{B26449A6-6007-4460-B4FE-C4776115BCEA}) (Version: 1.81.0000 - Seiko Epson Corporation)
Epson Event Manager (HKLM-x32\...\{9F205E94-9E42-4486-A92A-DF3F6CB85444}) (Version: 3.10.0061 - Seiko Epson Corporation)
Epson Print CD (HKLM-x32\...\{D16A31F9-276D-4968-A753-FFEAC56995D0}) (Version: 2.42.00 - SEIKO EPSON CORPORATION)
Epson Scan 2 (HKLM-x32\...\Epson Scan 2) (Version:  - Seiko Epson Corporation)
EPSON Scan OCR Component (HKLM-x32\...\{563B99D8-8895-4E3E-AE8D-15BE8C05F1C1}) (Version: 3.00.01 - SEIKO EPSON Corp.)
Epson Software Updater (HKLM-x32\...\{82B94253-3FBC-4779-B3BF-C690AD54AFDB}) (Version: 4.4.0 - SEIKO EPSON CORPORATION)
EPSON XP-640 Series Printer Uninstall (HKLM\...\EPSON XP-640 Series) (Version:  - Seiko Epson Corporation)
Epson XP-640 User’s Guide version 1.0 (HKLM-x32\...\UsersGuideEpson XP-640 User’s Guide_is1) (Version: 1.0 - )
EpsonNet Print (HKLM\...\{0CB4EF8E-EE5B-49F6-8376-A702C222D6DA}) (Version: 3.1.3.0 - SEIKO EPSON Corporation)
FairElm Sudoku (HKLM-x32\...\{06444E18-3144-4D84-ACE0-81BAA277CDF0}) (Version: 02.02.0000 - FairElm)
FLAC to MP3 Converter 6.1.9 (HKLM-x32\...\DD4F47DF-6540-4BDA-BEAD-2B19250B0C48_is1) (Version:  - Accmeware Corporation)
Free Ringtone Maker 2.4 (HKLM-x32\...\Free Ringtone Maker_is1) (Version:  - musetips.com)
Google Earth (HKLM-x32\...\{F6430171-B86B-4639-839E-374913E7911D}) (Version: 7.1.8.3036 - Google)
Google Earth Pro (HKLM-x32\...\{35DAA04C-1720-4BE3-A920-A03731EC6A1D}) (Version: 7.1.5.1557 - Google)
Google Update Helper (x32 Version: 1.3.33.5 - Google Inc.) Hidden
Gpg4win (2.3.3) (HKLM-x32\...\GPG4Win) (Version: 2.3.3 - The Gpg4win Project)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1008 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.4229 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.5.1001 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Intel® Wireless Display (HKLM\...\{28EF7372-9087-4AC3-9B9F-D9751FCDF830}) (Version:  - )
Intel® Wireless Display (HKLM-x32\...\{F84906ED-BB54-4889-B131-FED9C9056FC8}) (Version: 2.0.27.0 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{eddf4201-b72e-4e94-9e7b-ac1ba97c029f}) (Version: 16.11.0 - Intel Corporation)
IrfanView 4.44 (32-bit) (HKLM-x32\...\IrfanView) (Version: 4.44 - Irfan Skiljan)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kingsoft Office 2013 (9.1.0.4480) (HKLM-x32\...\Kingsoft Office) (Version: 9.1.0.4480 - Kingsoft Corp.)
K-Lite Mega Codec Pack 9.1.8 (HKLM-x32\...\KLiteCodecPack_is1) (Version: 9.1.8 - )
Lenovo Bluetooth with Enhanced Data Rate Software (HKLM\...\{436E0B79-2CFB-4E5F-9380-E17C1B25D0C5}) (Version: 6.3.0.8000 - Broadcom Corporation)
Lenovo EasyCamera (HKLM-x32\...\{FC9B811E-39BC-4813-9E29-B83CCF700010}) (Version: 2.16.23.3 - Alcor)
Lenovo EE Boot Optimizer (HKLM\...\Lenovo EE Boot Optimizer) (Version: 0.0.1.5 - Lenovo)
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 7.0.1628 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 7.0.1628 - CyberLink Corp.) Hidden
Lenovo PowerDVD 10 (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.2811.52 - CyberLink Corp.)
Lenovo PowerDVD 10 (x32 Version: 10.0.2811.52 - CyberLink Corp.) Hidden
Lenovo YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.1.3603 - CyberLink Corp.)
Lenovo YouCam (x32 Version: 3.1.3603 - CyberLink Corp.) Hidden
Malwarebytes version 3.1.2.1733 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.1.2.1733 - Malwarebytes)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50906.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 51.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 51.0.1 (x86 en-US)) (Version: 51.0.1 - Mozilla)
Mozilla Firefox 53.0.3 (x64 en-US) (HKLM\...\Mozilla Firefox 53.0.3 (x64 en-US)) (Version: 53.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 53.0 - Mozilla)
Onekey Theater (HKLM-x32\...\InstallShield_{D4B060B9-AD4A-4152-9D99-28B93C615AFE}) (Version: 2.0.2.7 - Lenovo)
Onekey Theater (x32 Version: 2.0.2.7 - Lenovo) Hidden
ooVoo (HKLM-x32\...\{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}) (Version: 2.2.4.25 - ooVoo LLC.)
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.7303 - CyberLink Corp.)
Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.21.531.2010 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6505 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Reader Driver (HKLM-x32\...\{62BBB2F0-E220-4821-A564-730807D2C34D}) (Version: 6.1.7600.10008 - Realtek Semiconductor Corp.)
Recuva (HKLM\...\Recuva) (Version: 1.48 - Piriform)
SafeZone Stable 3.55.2393.607 (x32 Version: 3.55.2393.607 - Avast Software) Hidden
Sokoban YASC (HKLM-x32\...\Sokoban YASC - Yet Another Sokoban Clone_is1) (Version:  - )
Sokoban++ (remove only) (HKLM-x32\...\SokobanPP) (Version:  - )
SRS Control Panel (HKLM\...\{25EE6AF4-8FD6-4E09-AD9B-3ACC0B81D902}) (Version: 1.11.4800 - SRS Labs, Inc.)
SUDOKU PC (HKLM-x32\...\{5C708FDA-FC24-4A18-8F4C-D90AB0E8851C}) (Version: 1.7.0 - hepokal)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1218 - SUPERAntiSpyware.com)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.2.7.0 - Synaptics Incorporated)
TrueCrypt (HKLM-x32\...\TrueCrypt) (Version: 7.1a - TrueCrypt Foundation)
UserGuide (HKLM-x32\...\InstallShield_{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 1.0.0.6 - Lenovo)
UserGuide (x32 Version: 1.0.0.6 - Lenovo) Hidden
VeraCrypt (HKLM-x32\...\VeraCrypt) (Version: 1.0f-2 - IDRIX)
VeriFace (HKLM-x32\...\VeriFace) (Version: 4.0.0.1206 - Lenovo)
Windows Driver Package - Lenovo (ACPIVPC) System  (12/02/2010 6.1.0.1) (HKLM\...\EA12B1FB53CE4E387C31A85236C41EF559B5E392) (Version: 12/02/2010 6.1.0.1 - Lenovo)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {08260E89-2E52-4BAA-AB71-91F94DDA08FC} - System32\Tasks\Cybereason RansomFree Autostart => C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFree.exe [2017-05-07] (Cybereason)
Task: {25FCDA22-1E31-48D6-AD02-8DEF78C57E86} - System32\Tasks\{6C757AC7-5F24-4A64-9B55-46B62770849C} => pcalua.exe -a C:\Users\Mike\Downloads\startuplite-setup-1.07.exe -d C:\Users\Mike\Downloads
Task: {2BB941DE-BA49-4819-8541-60B3DD9B956B} - System32\Tasks\Games\UpdateCheck_S-1-5-21-1486635349-3231517910-980370596-1018
Task: {2D71F9DD-230F-42CD-B4D0-55DAC2066C34} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {3A585901-4AE9-4BC0-877A-8EBE354E4F85} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2017-05-09] (AVAST Software)
Task: {4DC25A8F-9CF4-4A9F-ACF3-778E94BA5F7B} - System32\Tasks\EPSON XP-640 Series Update {0DE57EA7-7786-46F5-B9B8-CA35346DBE4C} => C:\windows\system32\spool\DRIVERS\x64\3\E_YTSRHE.EXE [2013-11-21] (SEIKO EPSON CORPORATION)
Task: {4F373DAA-3BE0-4035-8829-BA2069F69C6F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-08-20] (Google Inc.)
Task: {6DE0F951-46BD-42E1-A91E-0B703324D314} - System32\Tasks\WpsUpdateTask_Mike => C:\Program Files (x86)\Kingsoft\Kingsoft Office\wtoolex\wpsupdate.exe [2017-01-20] (Zhuhai Kingsoft Office Software Co.,Ltd)
Task: {7B4C7674-2EFA-46DC-8E4A-1669FB3B13F5} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-07-17] (Piriform Ltd)
Task: {8A06FBBA-9396-4DB0-9654-D8A020A41143} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {8D50B6BC-251C-455E-846E-7045090BD160} - System32\Tasks\Cybereason RansomFree Keepalive => C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFree.exe [2017-05-07] (Cybereason)
Task: {A36040D9-7E19-460E-BCCF-44DDF1E2BBDA} - System32\Tasks\WpsNotifyTask_Mike => C:\Program Files (x86)\Kingsoft\Kingsoft Office\wtoolex\wpsnotify.exe [2013-12-26] (Zhuhai Kingsoft Office Software Co.,Ltd)
Task: {A757F718-B98D-4914-9483-AAEE6EF46268} - \Taplika cafe -> No File <==== ATTENTION
Task: {A95DF77E-DFDA-49FD-9B85-CB9C3A09A9C9} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2017-04-13] (AVAST Software)
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {C39137A3-E2CB-4C3E-95F8-0290249898CE} - System32\Tasks\MirageAgent => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [2010-12-04] (CyberLink)
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {D236D2FC-DDDD-4398-A087-326F80FBF83B} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-04-25] (Adobe Systems Incorporated)
Task: {D803DBA4-B428-4134-91A7-FA1A249F292B} - System32\Tasks\SafeZone scheduled Autoupdate 1467713979 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2017-05-17] (Avast Software)
Task: {E4A18167-95B2-42E1-AD37-FA046B66BD8F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-08-20] (Google Inc.)
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\windows\Tasks\EPSON XP-640 Series Update {0DE57EA7-7786-46F5-B9B8-CA35346DBE4C}.job => C:\windows\system32\spool\DRIVERS\x64\3\E_YTSRHE.EXE :/EXE:{0DE57EA7-7786-46F5-B9B8-CA35346DBE4C} /F:Update  SYSTEM ĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
Task: C:\windows\Tasks\WpsNotifyTask_Mike.job => C:\Program Files (x86)\Kingsoft\Kingsoft Office\wtoolex\wpsnotify.exe
Task: C:\windows\Tasks\WpsUpdateTask_Mike.job => C:\Program Files (x86)\Kingsoft\Kingsoft Office\wtoolex\wpsupdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-08-18 01:27 - 2016-08-18 01:27 - 00216576 _____ () C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe
2010-11-11 03:42 - 2010-11-11 03:42 - 00202144 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\ActiveDetect64.dll
2010-11-11 03:44 - 2010-11-11 03:44 - 00156576 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\WindowsApiHookDll64.dll
2012-03-02 15:45 - 2012-03-02 15:45 - 01502720 _____ () C:\windows\system32\IcnOvrly.dll
2012-03-02 15:45 - 2012-03-02 15:45 - 00622592 _____ () C:\windows\system32\SimpleExt.dll
2008-12-19 20:20 - 2012-03-02 16:03 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\HookLib.dll
2012-03-02 15:51 - 2012-03-02 15:51 - 00100256 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
2008-12-19 20:20 - 2012-03-02 16:03 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\kbdhook.dll
2011-04-13 20:01 - 2011-03-25 02:28 - 00094208 _____ () C:\windows\System32\IccLibDll_x64.dll
2017-05-28 20:27 - 2017-06-03 09:13 - 02270664 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2017-05-09 16:04 - 2017-05-09 16:04 - 00162024 _____ () c:\Program Files\AVAST Software\Avast\x64\vaarclient.dll
2017-05-09 16:04 - 2017-05-09 16:04 - 00825960 _____ () C:\Program Files\AVAST Software\Avast\x64\ffl2.dll
2017-05-09 16:04 - 2017-05-09 16:04 - 00275776 _____ () c:\Program Files\AVAST Software\Avast\x64\StreamBack.dll
2017-05-09 16:04 - 2017-05-09 16:04 - 00170216 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2017-05-09 16:04 - 2017-05-09 16:04 - 00176992 _____ () C:\Program Files\AVAST Software\Avast\event_routing_rpc.dll
2017-05-09 16:04 - 2017-05-09 16:04 - 00223224 _____ () C:\Program Files\AVAST Software\Avast\tasks_core.dll
2017-05-28 14:22 - 2017-05-28 14:22 - 06100776 _____ () C:\Program Files\AVAST Software\Avast\defs\17052800\algo.dll
2017-05-09 16:04 - 2017-05-09 16:04 - 00684656 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2017-05-09 16:04 - 2017-05-09 16:04 - 00230632 _____ () C:\Program Files\AVAST Software\Avast\streamback.dll
2017-06-02 12:26 - 2017-06-02 12:26 - 06101296 _____ () C:\Program Files\AVAST Software\Avast\defs\17060204\algo.dll
2017-06-06 07:18 - 2017-06-06 07:18 - 06100784 _____ () C:\Program Files\AVAST Software\Avast\defs\17060600\algo.dll
2016-08-18 01:14 - 2016-08-18 01:14 - 00222720 _____ () C:\Program Files (x86)\GNU\GnuPG\libksba-8.dll
2016-08-18 01:09 - 2016-08-18 01:09 - 00103424 _____ () C:\Program Files (x86)\GNU\GnuPG\libgpg-error-0.dll
2016-08-18 01:03 - 2016-08-18 01:03 - 00050176 _____ () C:\Program Files (x86)\GNU\GnuPG\libw32pth-0.dll
2016-08-18 01:14 - 2016-08-18 01:14 - 00073728 _____ () C:\Program Files (x86)\GNU\GnuPG\libassuan-0.dll
2016-08-18 01:17 - 2016-08-18 01:17 - 00751104 _____ () C:\Program Files (x86)\GNU\GnuPG\libgcrypt-20.dll
2010-11-11 03:38 - 2010-11-11 03:38 - 00161696 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\ActiveDetect32.dll
2010-11-11 03:39 - 2010-11-11 03:39 - 00133024 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\WindowsApiHookDll32.dll
2017-05-09 16:04 - 2017-05-09 16:04 - 00997896 _____ () C:\Program Files\AVAST Software\Avast\AvChrome.dll
2017-05-09 16:04 - 2017-05-09 16:04 - 67717632 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2017-05-09 16:04 - 2017-05-09 16:04 - 00291824 _____ () C:\Program Files\AVAST Software\Avast\gaming_mode_ui.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Temp:1D559578 [143]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:34 - 2009-06-10 14:00 - 00000824 _____ C:\windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1486635349-3231517910-980370596-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-1486635349-3231517910-980370596-1018\Control Panel\Desktop\\Wallpaper -> C:\Users\Dr. Feelgood\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: !SASCORE => 2
MSCONFIG\Services: WinDefend => 2
MSCONFIG\Services: WMPNetworkSvc => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk => C:\windows\pss\Bluetooth.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: RemoteControl10 => "C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe"
MSCONFIG\startupreg: S6000Mnt => C:\windows\SysWOW64\Rundll32.exe S6000Rmv.dll,WinMainRmv /StartStillMnt
MSCONFIG\startupreg: VeriFaceManager => C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
MSCONFIG\startupreg: YouCam Mirage => "C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe"
MSCONFIG\startupreg: YouCam Tray => "C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe" /s

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{EBF01CC5-035B-45EB-A108-3C9A5508D373}] => (Allow) C:\Program Files (x86)\Intel Corporation\Intel Wireless Display\WiDiApp.exe
FirewallRules: [{29C969A2-D266-41CE-B0E3-3C1768072762}] => (Allow) C:\Program Files (x86)\Lenovo\PowerDVD10\PowerDVD Cinema\PowerDVDCinema10.exe
FirewallRules: [{04BEE46A-8098-4014-A4FF-50A4F6011335}] => (Allow) C:\Program Files (x86)\Lenovo\PowerDVD10\PowerDVD10.EXE
FirewallRules: [{713148FB-1F5B-489E-970C-D750232FF37A}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{C53E173D-0EAB-4AB9-8A48-E2B7895101FE}] => (Allow) LPort=2869
FirewallRules: [{7D822201-3BF2-4D60-8617-903BD51E2620}] => (Allow) LPort=1900
FirewallRules: [{4694F3F7-6887-48F1-BEFD-D65BFB1FD0B8}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{B67D60E3-E442-400A-A613-F82ABDB0B3E5}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [TCP Query User{11AEBBC1-14FB-427F-A595-60E1B8021AE3}C:\program files (x86)\oovoo\oovoo.exe] => (Block) C:\program files (x86)\oovoo\oovoo.exe
FirewallRules: [UDP Query User{B034A7A8-67A9-4E21-AB39-CEB1529F7CE8}C:\program files (x86)\oovoo\oovoo.exe] => (Block) C:\program files (x86)\oovoo\oovoo.exe
FirewallRules: [TCP Query User{CA27E99E-4334-4B73-B17B-05CCC11F22A6}C:\program files (x86)\oovoo\oovoo.exe] => (Block) C:\program files (x86)\oovoo\oovoo.exe
FirewallRules: [UDP Query User{76B1FB79-4D00-49C3-9FE2-B3022912017F}C:\program files (x86)\oovoo\oovoo.exe] => (Block) C:\program files (x86)\oovoo\oovoo.exe
FirewallRules: [TCP Query User{B5CBA052-C16A-4C60-AE09-B82BF4987767}C:\program files (x86)\streamtorrent 1.0\streamtorrent.exe] => (Allow) C:\program files (x86)\streamtorrent 1.0\streamtorrent.exe
FirewallRules: [UDP Query User{4CEC21EB-5F65-417B-B7C1-9B84308C12C2}C:\program files (x86)\streamtorrent 1.0\streamtorrent.exe] => (Allow) C:\program files (x86)\streamtorrent 1.0\streamtorrent.exe
FirewallRules: [TCP Query User{E30DF489-74B5-4B61-A287-8585932CDD7A}C:\users\mike\appdata\roaming\utorrent\utorrent.exe] => (Allow) C:\users\mike\appdata\roaming\utorrent\utorrent.exe
FirewallRules: [UDP Query User{6F472984-890A-4CA2-A742-A7FC572EE3F7}C:\users\mike\appdata\roaming\utorrent\utorrent.exe] => (Allow) C:\users\mike\appdata\roaming\utorrent\utorrent.exe
FirewallRules: [{1E906DE5-1487-4D6D-817E-CE954A2DE8CD}] => (Allow) C:\Users\Mike\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{8659E8B3-17E5-4A6E-8537-D25BE8FC2DF6}] => (Allow) C:\Users\Mike\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{F7EF1112-8E7E-4ADC-BE63-AF6002B79328}C:\users\mike\downloads\utorrent(1).exe] => (Allow) C:\users\mike\downloads\utorrent(1).exe
FirewallRules: [UDP Query User{EDBE39AC-A630-42D2-AC2F-2053DFAA717A}C:\users\mike\downloads\utorrent(1).exe] => (Allow) C:\users\mike\downloads\utorrent(1).exe
FirewallRules: [{52B0A251-C5B4-47C0-A3EB-283E49213F82}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{7605002D-4D5F-4107-8C21-E01C70829E88}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{408D1B83-73B3-4D1A-AA95-DB61DA24FE11}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{71C700C4-05AF-4ABB-87A4-C5F983AA1F61}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{ADF2FB6A-A831-4F4C-9D57-7ED482616448}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{900307DB-DA76-4F79-9684-A3C8617695C8}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{79E7EF17-E2FE-4460-AFD9-AB02D0A585BF}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{3FD7345D-7C93-4BA9-BC40-FD345555192A}] => (Allow) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
FirewallRules: [{8857B539-776D-4B26-BE0B-B4BA1DE55C64}] => (Allow) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
FirewallRules: [{BA4C5504-0581-4D14-B90C-56A264B35F85}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{E250C70F-BC23-46B0-8A0C-A6CE23F10650}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{109FA8BF-9EEA-4F32-AC8B-A0ADEF10E76B}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\3.55.2393.596_1\SZBrowser.exe
FirewallRules: [{38449E86-7F08-495C-B038-1CF612B0DA69}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\3.55.2393.607\SZBrowser.exe

==================== Restore Points =========================

28-05-2017 11:50:09 Restore Operation
05-06-2017 00:52:08 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============

Name: Microsoft Teredo Tunneling Adapter
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: VBoxAsw Support Driver
Description: VBoxAsw Support Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: VBoxAswDrv
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (06/01/2017 09:10:35 AM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (05/28/2017 09:47:08 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (05/28/2017 07:41:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: cmd.exe, version: 6.1.7601.17514, time stamp: 0x4ce78e2b
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x03bd74ac
Faulting process id: 0xc10
Faulting application start time: 0x01d2d824d08fb7c7
Faulting application path: C:\windows\SysWOW64\cmd.exe
Faulting module path: unknown
Report Id: 41b141d3-4418-11e7-a49d-6427378b2e0d

Error: (05/28/2017 07:36:24 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: cmd.exe, version: 6.1.7601.17514, time stamp: 0x4ce78e2b
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x03bd74ac
Faulting process id: 0x18a0
Faulting application start time: 0x01d2d82423c860bf
Faulting application path: C:\windows\SysWOW64\cmd.exe
Faulting module path: unknown
Report Id: 9accb1d9-4417-11e7-a49d-6427378b2e0d

Error: (05/28/2017 12:18:32 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
Error: Failed to make the SOAP Call HResult: 0x800c0005. Exception caught while trying to report the Update Event

Error: (05/28/2017 12:18:32 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (05/28/2017 12:08:03 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (05/22/2017 11:23:24 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
Error: Failed to make the SOAP Call HResult: 0x800c0005. Exception caught while trying to report the Update Event

Error: (05/22/2017 11:23:24 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (05/22/2017 11:13:21 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.


System errors:
=============
Error: (06/06/2017 09:46:23 AM) (Source: ipnathlp) (EventID: 31004) (User: )
Description: The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Error: (06/06/2017 09:43:56 AM) (Source: ipnathlp) (EventID: 30013) (User: )
Description: The DHCP allocator has disabled itself on IP address 10.234.131.203, since the IP address is outside the 192.168.137.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.

Error: (06/06/2017 09:43:53 AM) (Source: ipnathlp) (EventID: 31004) (User: )
Description: The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Error: (06/06/2017 07:18:06 AM) (Source: ipnathlp) (EventID: 30013) (User: )
Description: The DHCP allocator has disabled itself on IP address 10.234.131.203, since the IP address is outside the 192.168.137.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.

Error: (06/06/2017 07:18:04 AM) (Source: ipnathlp) (EventID: 31004) (User: )
Description: The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Error: (06/05/2017 07:35:24 PM) (Source: ipnathlp) (EventID: 31004) (User: )
Description: The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Error: (06/05/2017 07:05:57 PM) (Source: ipnathlp) (EventID: 31004) (User: )
Description: The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Error: (06/05/2017 05:32:03 PM) (Source: ipnathlp) (EventID: 30013) (User: )
Description: The DHCP allocator has disabled itself on IP address 10.235.224.90, since the IP address is outside the 192.168.137.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.

Error: (06/05/2017 04:45:10 PM) (Source: ipnathlp) (EventID: 31004) (User: )
Description: The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Error: (06/05/2017 04:15:46 PM) (Source: ipnathlp) (EventID: 30013) (User: )
Description: The DHCP allocator has disabled itself on IP address 10.235.224.90, since the IP address is outside the 192.168.137.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.


==================== Memory info ===========================

Processor: Intel® Core™ i5-2450M CPU @ 2.50GHz
Percentage of memory in use: 69%
Total physical RAM: 8106.14 MB
Available physical RAM: 2501.37 MB
Total Virtual: 16210.46 MB
Available Virtual: 3972.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:654.69 GB) (Free:585.32 GB) NTFS
Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:26.24 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 698.6 GB) (Disk ID: 9B9A8C74)
Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=654.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=29 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=14.8 GB) - (Type=12)

==================== End of Addition.txt ============================

 

 

Hello nasdaq,

We've already made some progress as I was unable to C&P the logs before. That is why I posted them the way I did originally. One issue that happened was that I got a pop-up message from Cybereason RansomFree that said an attempt had been made to lock up my computer, but had been defeated. It said I might have to clean things up manually. I did try again to remove the offending users and folders, without success.This occured after I started this thread but I decided to wait instead of posting info not requested.

The bizzare users and other folders are still there, and still cannot be removed. Here is a link to my original post with screenshots of the users and 2 of the other folders that are in question:

https://www.bleepingcomputer.com/forums/t/647842/undeletable-folders-and-users-on-win-7/

 

There are more of these types of folders, but I quit looking for them when I couldn't delete them.

Other than just the existance of these folders, the issues are a bit hard to pin down. I have noticed at times, even when a page has fully loaded, it continues to load. I have also noticed that even tho I put new batteries in my mouse, it will, at times, refuse to scroll down unless I grab the sidebar and drag it down. It will scroll up, however.

I am far from a power user, so there are issues that might present themselves to others that I may never see. I don't use my computer for business, and the only part of Office I use is Word.

 

Thank you for your time,

Mike



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 AM

Posted 07 June 2017 - 07:15 AM

Hi,

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKU\S-1-5-21-1486635349-3231517910-980370596-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @oberon-media.com/ONCAdapter -> C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.8\npapicomadapter.dll [No File]
S3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [X]
U2 CLKMSVC10_C3B3B687; no ImagePath
U2 DriverService; no ImagePath
U2 IAStorDataMgrSvc; no ImagePath
U2 idealife Update Service; no ImagePath
U3 IGRS; no ImagePath
U2 IviRegMgr; no ImagePath
U2 nvUpdatusService; no ImagePath
U2 Oasis2Service; no ImagePath
U2 PCCarerServic; no ImagePath
U2 ReadyComm.DirectRouter; no ImagePath
U2 RichVideo; no ImagePath
U2 RtLedService; no ImagePath
U2 SoftwareService; no ImagePath
U2 Stereo Service; no ImagePath
S2 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]
Task: {2D71F9DD-230F-42CD-B4D0-55DAC2066C34} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {8A06FBBA-9396-4DB0-9654-D8A020A41143} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {A757F718-B98D-4914-9483-AAEE6EF46268} - \Taplika cafe -> No File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:1D559578 [143]
C:\Users\Quxei
C:\Users\Akstp
C:\Users\Mike\Documents\Zvalue173
C:\Users\Mike\Documents\Adata171
C:\xsettingsettings73
C:\Accaches123
C:\Users\ASKqsx
C:\Users\QW4aw
C:\Users\Bdates202
C:\Users\Sconfig172

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

p.s.
If the following folders are not removed please Start the Computer in Safe Mode and delete them.

C:\Users\Quxei
C:\Users\Akstp
C:\Users\Mike\Documents\Zvalue173
C:\Users\Mike\Documents\Adata171
C:\xsettingsettings73
C:\Accaches123
C:\Users\ASKqsx
C:\Users\QW4aw
C:\Users\Bdates202
C:\Users\Sconfig172



Restart the computer normally.

Let me know what problem persists.

#5 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 07 June 2017 - 09:47 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-06-2017
Ran by Dr. Feelgood (07-06-2017 06:26:32) Run:1
Running from C:\Users\Dr. Feelgood\Downloads
Loaded Profiles: Mike & Dr. Feelgood (Available Profiles: Mike & Dr. Feelgood & Guest)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKU\S-1-5-21-1486635349-3231517910-980370596-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @oberon-media.com/ONCAdapter -> C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.8\npapicomadapter.dll [No File]
S3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [X]
U2 CLKMSVC10_C3B3B687; no ImagePath
U2 DriverService; no ImagePath
U2 IAStorDataMgrSvc; no ImagePath
U2 idealife Update Service; no ImagePath
U3 IGRS; no ImagePath
U2 IviRegMgr; no ImagePath
U2 nvUpdatusService; no ImagePath
U2 Oasis2Service; no ImagePath
U2 PCCarerServic; no ImagePath
U2 ReadyComm.DirectRouter; no ImagePath
U2 RichVideo; no ImagePath
U2 RtLedService; no ImagePath
U2 SoftwareService; no ImagePath
U2 Stereo Service; no ImagePath
S2 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]
Task: {2D71F9DD-230F-42CD-B4D0-55DAC2066C34} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {8A06FBBA-9396-4DB0-9654-D8A020A41143} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {A757F718-B98D-4914-9483-AAEE6EF46268} - \Taplika cafe -> No File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:1D559578 [143]
C:\Users\Quxei
C:\Users\Akstp
C:\Users\Mike\Documents\Zvalue173
C:\Users\Mike\Documents\Adata171
C:\xsettingsettings73
C:\Accaches123
C:\Users\ASKqsx
C:\Users\QW4aw
C:\Users\Bdates202
C:\Users\Sconfig172

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Policies\Google => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value removed successfully
HKCR\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => value removed successfully
HKCR\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => key not found.
HKU\S-1-5-21-1486635349-3231517910-980370596-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@oberon-media.com/ONCAdapter => key removed successfully
HKLM\System\CurrentControlSet\Services\AvastVBoxSvc => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\CLKMSVC10_C3B3B687 => key removed successfully
CLKMSVC10_C3B3B687 => service removed successfully
HKLM\System\CurrentControlSet\Services\DriverService => key removed successfully
DriverService => service removed successfully
HKLM\System\CurrentControlSet\Services\IAStorDataMgrSvc => key removed successfully
IAStorDataMgrSvc => service removed successfully
HKLM\System\CurrentControlSet\Services\idealife Update Service => key removed successfully
idealife Update Service => service removed successfully
HKLM\System\CurrentControlSet\Services\IGRS => key removed successfully
IGRS => service removed successfully
HKLM\System\CurrentControlSet\Services\IviRegMgr => key removed successfully
IviRegMgr => service removed successfully
HKLM\System\CurrentControlSet\Services\nvUpdatusService => key removed successfully
nvUpdatusService => service removed successfully
HKLM\System\CurrentControlSet\Services\Oasis2Service => key removed successfully
Oasis2Service => service removed successfully
HKLM\System\CurrentControlSet\Services\PCCarerServic => key removed successfully
PCCarerServic => service removed successfully
HKLM\System\CurrentControlSet\Services\ReadyComm.DirectRouter => key removed successfully
ReadyComm.DirectRouter => service removed successfully
HKLM\System\CurrentControlSet\Services\RichVideo => key removed successfully
RichVideo => service removed successfully
HKLM\System\CurrentControlSet\Services\RtLedService => key removed successfully
RtLedService => service removed successfully
HKLM\System\CurrentControlSet\Services\SoftwareService => key removed successfully
SoftwareService => service removed successfully
HKLM\System\CurrentControlSet\Services\Stereo Service => key removed successfully
Stereo Service => service removed successfully
HKLM\System\CurrentControlSet\Services\VBoxAswDrv => key could not remove, key could be protected
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2D71F9DD-230F-42CD-B4D0-55DAC2066C34} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2D71F9DD-230F-42CD-B4D0-55DAC2066C34} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTask => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup\ConfigNotification => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8A06FBBA-9396-4DB0-9654-D8A020A41143} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8A06FBBA-9396-4DB0-9654-D8A020A41143} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A757F718-B98D-4914-9483-AAEE6EF46268} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A757F718-B98D-4914-9483-AAEE6EF46268} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Taplika cafe => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AC4E5ACF-89F7-4220-BA21-81EE183975E2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC4E5ACF-89F7-4220-BA21-81EE183975E2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\AitAgent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CEE64558-E1A7-4D9D-80A7-2001912BE5B5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEE64558-E1A7-4D9D-80A7-2001912BE5B5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\CorruptionDetector => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FA2BC0A6-8D4B-458A-85C8-2B8C72487513} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA2BC0A6-8D4B-458A-85C8-2B8C72487513} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector => key removed successfully
C:\ProgramData\Temp => ":1D559578" ADS removed successfully.
"C:\Users\Quxei" => not found.
"C:\Users\Akstp" => not found.
"C:\Users\Mike\Documents\Zvalue173" => not found.
"C:\Users\Mike\Documents\Adata171" => not found.
"C:\xsettingsettings73" => not found.
"C:\Accaches123" => not found.
"C:\Users\ASKqsx" => not found.
"C:\Users\QW4aw" => not found.
"C:\Users\Bdates202" => not found.
"C:\Users\Sconfig172" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 12582912 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6337780 B
Java, Flash, Steam htmlcache => 456 B
Windows/system/drivers => 162525755 B
Edge => 0 B
Chrome => 0 B
Firefox => 49643299 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 49806 B
systemprofile32 => 66228 B
LocalService => 0 B
NetworkService => 0 B
Mike => 38782830 B
Dr. Feelgood => 60954787 B
Guest => 5894283 B

RecycleBin => 0 B
EmptyTemp: => 321.2 MB temporary data Removed.

================================
 

 

When booting in Safe Mode none of the offending Users or folders show up. When booting normally as Admin, none of the offending Users show up, but there is still at least 2 folders (Acsettings107 & xfound184).

When booting normally as Mike the Users and Folders are still there, or have re-spawned with slightly different names.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 AM

Posted 07 June 2017 - 09:54 AM


Some files/folder may be hidden, make sure you can see them all.

Unhide files/folders Windows.
How To:
http://windows.microsoft.com/en-ca/windows/show-hidden-files#show-hidden-files=windows-7
<<<>>>


Lets check further.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#7 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 07 June 2017 - 11:40 AM

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 06/07/2017 08:59:40 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Disabled

 * TBS [Missing Service]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 06/07/2017 08:59:49 AM
Execution time: 0 hours(s), 0 minute(s), and 9 seconds(s)
 

 

 

RogueKiller V12.11.1.0 (x64) [Jun  4 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dr. Feelgood [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 06/07/2017 09:08:54 (Duration : 00:18:55)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 16 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Replaced (1)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Replaced (1)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2  -> Replaced (1)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Replaced (1)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1018\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2  -> Replaced (1)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1018\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Replaced (1)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1018\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1018\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1018\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1018\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Replaced (1)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HITACHI HTS547575A9E384 +++++
--- User ---
[MBR] 6a5f03655ad2b612af7244b60529f068
[BSP] 60cdbfac798e7cafda23328b3028fe9a : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 200 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 411648 | Size: 670402 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1373394944 | Size: 29693 MB
3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 1434206208 | Size: 15108 MB
User = LL1 ... OK
User = LL2 ... OK

After scanning, the Users & folders still exist, but I have not rebooted.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 AM

Posted 07 June 2017 - 12:51 PM

Reboot to reset the registry.

#9 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 08 June 2017 - 02:11 AM

After rebooting, the Users & folders still exist. I booted in Safe Mode and the Users & Folders were not there to delete. After that I booted normally and tried to delete the Users and received an Alert from Cybereason Ransom Free saying an attempt had been made to lock up my computer, those are the screenshots attached. Even tho I did as directed, the Users re-spawned again. I have not tried to mess with the c:\windows\System32\dllhost.exe part mentioned without adult supervision. That I never got any type of message until trying to delete Users makes me wonder if I have sloppily coded ransom ware, or simply a false positive.

I appreciate your time and await your direction

Mike

 

Attached File  Ransom.jpg   82.73KB   0 downloads

Attached File  Ransom2.jpg   98.97KB   0 downloads



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 AM

Posted 08 June 2017 - 07:27 AM





Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
dllhost.exe
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;
===

Run this cleaning tool also.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

===

#11 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 08 June 2017 - 04:06 PM

Farbar Recovery Scan Tool (x64) Version: 07-06-2017 01
Ran by Dr. Feelgood (08-06-2017 07:51:04)
Running from C:\Users\Dr. Feelgood\Downloads
Boot Mode: Normal

================== Search Registry: "dllhost.exe" ===========

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d]
"f!dllhost.exe"="0x64006C006C0068006F00730074002E00650078006500"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7]
"f!dllhost.exe"="0x64006C006C0068006F00730074002E00650078006500"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers]
"SystemBinariesList"="win32k.sys:winlogon.exe:EXPLORER.EXE:CSRSS.Exe:dwm.exe:logon.scr:logonui.exe:lsass.exe:lsm.exe:ntkrpamp.exe:ntoskrnl.exe:RUNDLL32.EXE:services.exe:sppsvc.exe:smss.exe:spoolsv.exe:svchost.exe:taskeng.exe:WinInit.exe:WISPTIS.EXE:dllhost.exe:dllhst3g.exe:cscript.exe:mmc.exe:msiexec.exe:upnpcont.exe:wscript.exe:WUDFHost.exe:dfsvc.exe:dfsvc.exe:fdbs.exe:ntfsbs.exe:memdiag.exe:NETFXSBS10.exe:applaunch.exe:aspnet_compiler.exe:aspnet_regbrowsers.exe:aspnet_regiis.exe:aspnet_regsql.exe:aspnet_state.exe:aspnet_wp.exe:caspol.exe:csc.exe:CVTRES.EXE:dfsvc.exe:dw20.exe:IEExec.exe:ilasm.exe:InstallUtil.exe:jsc.exe:MSBuild.exe:mscorsvw.exe:ngen.exe:RegAsm.exe::RegSvcs.exe:vbc.exe:TrustedInstaller.exe:Aurora.scr:AutoChk.Exe:AUTOFMT.EXE:CHKDSK.EXE:CHKNTFS.EXE:consent.exe:PnPUnattend.exe:PnPutil.exe:RacAgent.exe:fsquirt.exe:Uninst.exe:updateWmc.exe:wmdc.exe:wmdsync.exe:mofcomp.exe:ScrCons.exe:smi2smir.exe:unsecapp.exe:wbemtest.exe:winmgmt.exe:wmic.exe:bfsvc.exe:Twunk_16.exe:Twunk_32.exe:wuauclt.exe:wsqmcons.exe:sapisvr.exe:WinSAT.exe:p2phost.exe:SearchProtocolHost.exe:WerFault.exe:drvinst.exe:ehshell.exe:UI0Detect.exe:ehtray.exe:HelpPane.exe:mrt.exe:SearchFilterHost.exe:mobsync.exe:Narrator.exe:SLUI.exe:taskmgr.exe:PresentationSettings.exe:vds.exe:sdclt.exe:irftp.exe:DFDWiz.exe:SndVol.exe:makecab.exe:msfeedssync.exe:unregmp2.exe:DeviceProperties.exe:rstrui.exe:MdRes.exe:netsh.exe:printui.exe:mcupdate.exe:4mmdat.sys:61883.sys:ACPI.sys:amdk7.sys:amdk8.sys:ASYNCMAC.SYS:atapi.sys:AVC.SYS:cdfs.sys:cdrom.sys:circlass.sys:cmbatt.sys:crusoe.sys:CSC.Sys:dc21x4vm.sys:disk.sys:dot4.sys:dot4usb.sys:drmkaud.sys:ecache.sys:fdc.sys:floppy.sys:hdaudbus.sys:HDAudio.sys:HIDBTH.SYS:HIDIR.SYS:i8042prt.sys:intelppm.sys:irenum.SYS:IRSIR.SYS:kbdclass.sys:kbdhid.sys:LOOP.SYS:mf.sys:monitor.sys:mouclass.sys:mouhid.sys:msisadrv.sys:msiscsi.sys:NDISWAN.SYS:nsiproxy.sys:ohci1394.sys:pci.sys:pciide.sys:powerfil.sys:processr.sys:rasl2tp.sys:raspppoe.sys:RASPPTP.SYS:RDPCDD.SYS:rfcomm.sys:sbp2port.sys:sdbus.sys:serenum.sys:serial.sys:sermouse.sys:sffdisk.sys:sffp_mmc.sys:smbios.sys:swenum.sys:tdx.sys:termdd.sys:tpm.sys:tunmp.sys:tunnel.sys:umbus.sys:update.sys:usb8023.sys:USBAudio.sys:USBCCGP.SYS:usbcir.sys:USBEHCI.sys:usbhub.sys:USBOHCI.sys:usbprint.sys:USBUHCI.sys:viac7.sys:wacompen.sys:wceusbsh.sys:winusb.sys:ws2ifsl.sys:xnacc.sys"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"HostApps"="RUNDLL32.EXE;MSHTA.EXE;DLLHOST.EXE;APPLAUNCH.EXE;HH.EXE;WINHLP32.EXE;MMC.EXE;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FileAssociation]
"HostApps"="RUNDLL32.EXE;MSHTA.EXE;DLLHOST.EXE;APPLAUNCH.EXE;HH.EXE;WINHLP32.EXE;MMC.EXE;"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\COMSysApp]
"ImagePath"="%SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"

====== End of Search ======

 

 

As you can see, here is the result for the registry search.

The zoek scan presented a bit of a problem however. Things were going great for the first half hour, and then nothing happened for the next 5 hours except for the cursor flashing about 10 times from time to time and my laptop getting quite hot. When I tried to close zoek, it refused to close, so I shut my unit down. I didn't shut my unit down for lack of patience, my laptop got too hot to rest my hand on the left side of the touchpad, and burning it up isn't really the solution I was looking for.

Here is as far as it got:

 

Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Dr. Feelgood on Thu 06/08/2017 at  8:01:31.09.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Dr. Feelgood\Downloads\zoek.exe [Scan all users] [Script inserted]

===== Runcheck  8:02:20.56 =====

--- Create Environment Variables  8:02:23.57
--- Create System Restore Point  8:02:36.11
--- Checking Input  8:02:56.50
--- AU AppData Check  8:03:26.08
--- Remove From Windows Installer  8:03:34.05
--- Empty Folders Check  8:07:04.88
--- Registry HKLM Software Check  8:07:05.10
--- Quick Launch Shortcut Check  8:07:30.79
--- IE Startpage Check  8:07:37.02
--- Program Files DB Check  8:08:22.41
--- C:\Users\Default\AppData\Roaming DB Check  8:09:28.34
--- C:\Users\Default User\AppData\Roaming DB Check  8:09:28.34
--- C:\Users\Dr. Feelgood\AppData\Roaming DB Check  8:09:28.34
--- C:\Users\Guest\AppData\Roaming DB Check  8:09:28.34
--- C:\Users\Mike\AppData\Roaming DB Check  8:09:28.34
--- C:\Users\DRF431~1.FEE\AppData\Roaming DB Check  8:09:28.34
--- C:\windows\SysNative\config\systemprofile\AppData\Roaming DB Check  8:09:28.34
--- C:\windows\sysWoW64\config\systemprofile\AppData\Roaming DB Check  8:09:28.34
--- C:\windows\serviceprofiles\networkservice\AppData\Roaming DB Check  8:09:28.34
--- C:\windows\serviceprofiles\Localservice\AppData\Roaming DB Check  8:09:28.34
--- C:\Users\Dr. Feelgood DB Check  8:14:08.83
--- C:\PROGRA~3 DB Check  8:14:33.94
--- C:\Users\Default\AppData\Local DB Check  8:14:45.00
--- C:\Users\Default User\AppData\Local DB Check  8:14:45.00
--- C:\Users\Dr. Feelgood\AppData\Local DB Check  8:14:45.00
--- C:\Users\Guest\AppData\Local DB Check  8:14:45.00
--- C:\Users\Mike\AppData\Local DB Check  8:14:45.00
--- C:\Users\DRF431~1.FEE\AppData\Local DB Check  8:14:45.00
--- C:\windows\SysNative\config\systemprofile\AppData\Local DB Check  8:14:45.00
--- C:\windows\sysWoW64\config\systemprofile\AppData\Local DB Check  8:14:45.00
--- C:\windows\serviceprofiles\networkservice\AppData\Local DB Check  8:14:45.00
--- C:\windows\serviceprofiles\Localservice\AppData\Local DB Check  8:14:45.00
--- C:\ProgramData\Microsoft\Windows\Start Menu\Programs DB Check  8:18:03.05
--- C:\Users\Dr. Feelgood\AppData\Roaming\Microsoft\Windows\Start Menu\Programs DB Check  8:18:17.99
--- Tasks DB Check  8:18:27.51
--- Downloads DB Check  8:18:33.37
--- C:\Users\Dr. Feelgood\AppData\LocalLow DB Check  8:18:40.22
--- C:\Users\Guest\AppData\LocalLow DB Check  8:18:40.22
--- C:\Users\Mike\AppData\LocalLow DB Check  8:18:40.22
--- C:\Users\DRF431~1.FEE\AppData\LocalLow DB Check  8:18:40.22
--- C:\windows\SysNative\config\systemprofile\AppData\LocalLow DB Check  8:18:40.22
--- C:\windows\sysWoW64\config\systemprofile\AppData\LocalLow DB Check  8:18:40.22
--- C:\windows\serviceprofiles\networkservice\AppData\LocalLow DB Check  8:18:40.22
--- C:\windows\serviceprofiles\Localservice\AppData\LocalLow DB Check  8:18:40.22
--- Tasks2 DB Check  8:20:41.75
--- Documents DB Check  8:21:27.39
--- C:\Users\DRF431~1.FEE\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default DB Check  8:21:45.77
--- C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\ovlob6v9.default DB Check  8:21:45.77
--- C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893 DB Check  8:21:45.77
--- C:\Users\Public\Desktop DB Check  8:21:56.36
--- C:\Users\Dr. Feelgood\Desktop DB Check  8:22:04.82
--- Services DB Check  8:22:20.14
--- FF prefs.js DB Check  8:23:42.10
--- Emptyclsid  8:27:10.37
--- Del by CLSID  8:27:15.01
--- Delete Services  8:28:22.70
--- Firefox Fix  8:28:26.16
--- Batch Commands  8:28:43.01
--- Delete files\folders  8:28:43.48
--- Create Backups  8:28:43.77
--- Firefox Extensions  8:29:18.29
 

 

Here is the warning message I got when trying to close zoek:

 

Zoek.exe is running now.
Do not start any browser windows, they may get closed automatically.
Please wait! This window will close when finished.
A logfile will open afterwards and can also be found on your systemdrive as zoek-results.log

 

 

Perhaps there is something that is causing it to hang that we need to deal with before running it again?

Any idea how long zoek should run?

 

Thanks again, and I await your instructions,

Mike



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 AM

Posted 09 June 2017 - 08:03 AM


May be Cybereason if protecting your system from Zoek options to remove some items.

Run Option 3 as suggested here.

You already have the Zoek tool. Follow my lead here.
  • Download Zoek and save it to your Desktop
  • Right click the icon, select Run as Admistrator, and wait for the Program to appear on your Desktop (may take 15 seconds or so)
  • Verify Scan All Users is selected then click Run Script
  • Type 3 in the lower box to Perform only a Deep Scan then click OK
  • Wait patiently for the program to run
  • Do not use your computer while the scan is running
  • When completed a zoek-results.txt report will appear on your desktop. Copy and paste the contents in your reply
If Zoek stop running as it did previously Close the process using the TaskManager.

Keep me posted.

#13 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 09 June 2017 - 11:33 AM

I had the same problem again, only I chose no to wait as long. I had to reboot in order to shut zoek down, but I started zoek again and copied the log and did not start the scan again.

 

 

 

Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Dr. Feelgood on Fri 06/09/2017 at  8:01:46.35.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Dr. Feelgood\Downloads\zoek.exe [Scan all users]   [Deep Scan]

==== Older Logs ======================

C:\zoek-results2017-06-08-152917.log    7983 bytes

==== Running Processes ======================

C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFreeServiceHost.exe
C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe
C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFree.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFree.exe
C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
C:\Users\Dr. Feelgood\Downloads\zoek.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\SysWOW64\cmd.exe

==== System Specs ======================

Windows: Windows 7 Home Premium Edition (64-bit) Service Pack 1 (Build 7601)
Memory (RAM): 8107 MB
CPU Info: Intel® Core™ i5-2450M CPU @ 2.50GHz
CPU Speed: 2568.7 MHz
Sound Card: Speakers (Realtek High Definiti |
Display Adapters: Intel® HD Graphics 3000 | Intel® HD Graphics 3000 | RDPDD Chained DD | RDP Encoder Mirror Driver | RDP Reflector Display Driver
Monitors: 1x; Generic PnP Monitor |
Screen Resolution: 1366 X 768 - 32 bit
Network: Network Present
Network Adapters: Microsoft Virtual WiFi Miniport Adapter #2 | Microsoft Virtual WiFi Miniport Adapter | Intel® Centrino® Wireless-N 1000 | Realtek PCIe FE Family Controller | Bluetooth Device (Personal Area Network)
CD / DVD Drives: 1x (F: | ) F: HL-DT-STBDDVDRW CT30N
Ports: COM Ports NOT Present. LPT Port NOT Present.
Mouse: 16 Button Wheel Mouse Present
Hard Disks: C:  654.7GB | D:  29.0GB | Q:  0.0MB
Hard Disks - Free: C:  585.8GB | D:  26.2GB | Q:  0.0MB
Manufacturer *: LENOVO
BIOS Info: AT/AT COMPATIBLE | 10/21/11 | LENOVO - 1
Time Zone: Pacific Standard Time
Motherboard *: LENOVO Emerald Lake
Country: United States
Language: ENU

==== System Specs (Software) ======================

Anti-Virus: Avast Antivirus On-access scanning disabled (Outdated)
Anti-Virus: Malwarebytes On-access scanning disabled (Outdated)
Anti-Spyware: Malwarebytes disabled (Outdated)
Anti-Spyware: Windows Defender disabled (Outdated)
Anti-Spyware: Avast Antivirus disabled (Outdated)
Default Browser: Firefox    53.0.3
Internet Explorer Version: 11.0.9600.18665
Mozilla Firefox version: 51.0.1 (x86 en-US)
Adobe Reader version: 17.9.20044.222436

==== Files Recently Created / Modified ======================

====== C:\windows ====
2017-06-08 20:34:16    B58AC498DD0D3505CEC2B87CB20C2228    22    ----a-w-    C:\windows\S.dirmngr
====== C:\Users\DRF431~1.FEE\AppData\Local\Temp ====
2017-06-07 16:04:42    3B2EC6740EFAC4E229C068B559A49D8A    1732864    ----a-w-    C:\Users\DRF431~1.FEE\AppData\Local\Temp\dllnt_dump.dll
2017-06-07 16:04:42    3B2EC6740EFAC4E229C068B559A49D8A    1732864    ----a-w-    C:\Users\Dr. Feelgood\AppData\Local\Temp\dllnt_dump.dll
====== Java Cache =====
====== C:\windows\SysWOW64 =====
====== C:\windows\SysWOW64\drivers =====
====== C:\windows\Sysnative =====
2017-05-28 19:10:44    C7FB2578AD61DB530FF8169348EE9A30    400456    ----a-w-    C:\windows\Sysnative\aswBoot.exe
====== C:\windows\Sysnative\drivers =====
2017-06-07 16:08:55    0D5A09B08568760AE85A801FCBC0F83D    28272    ----a-w-    C:\windows\Sysnative\drivers\TrueSight.sys
2017-05-29 03:27:59    E095FFE590241C1765D093E91E325147    188312    ----a-w-    C:\windows\Sysnative\drivers\MBAMChameleon.sys
2017-05-29 03:27:51    D2E49FBBFCDB16584C6E457B2888E453    84256    ----a-w-    C:\windows\Sysnative\drivers\mwac.sys
2017-05-29 03:27:51    C51267EE2726707D38C489C06DDF01ED    113592    ----a-w-    C:\windows\Sysnative\drivers\farflt.sys
2017-05-29 03:27:48    68B3141EEFEA3AF9C244945B52247241    44960    ----a-w-    C:\windows\Sysnative\drivers\mbam.sys
2017-05-29 03:27:42    913F4230E29E312D1B4B02E2BAC67C87    252832    ----a-w-    C:\windows\Sysnative\drivers\MBAMSwissArmy.sys
2017-05-29 03:27:26    5C9CA030C451CB3553DB9094C68EE6E9    77376    ----a-w-    C:\windows\Sysnative\drivers\mbae64.sys
2017-05-10 16:35:32    351A21ED3971ADD558956FF3EB0F6FED    1895656    ----a-w-    C:\windows\Sysnative\drivers\tcpip.sys
2017-05-10 16:35:31    546C81F238F084A393EC54114741A0A8    460800    ----a-w-    C:\windows\Sysnative\drivers\srv.sys
2017-05-10 16:35:30    30545EF2A1E3EF79450AED5DF80F5884    986856    ----a-w-    C:\windows\Sysnative\drivers\dxgkrnl.sys
2017-05-10 16:35:29    7E45F8B117419ABA3BB26579F6E70324    195584    ----a-w-    C:\windows\Sysnative\drivers\exfat.sys
2017-05-10 16:35:29    6EDFA237D25433C03F42FBFDB16BDD24    205312    ----a-w-    C:\windows\Sysnative\drivers\fastfat.sys
2017-05-10 16:35:29    431D2B06E8F93EAEC53E8FA37FCFF2F1    405504    ----a-w-    C:\windows\Sysnative\drivers\srv2.sys
2017-05-10 16:35:28    EC75A942C32F7F405659D86156DCE4C5    117760    ----a-w-    C:\windows\Sysnative\drivers\tdx.sys
2017-05-10 16:35:28    0DC2A9882540DEA4A55B08785E09D8FC    496128    ----a-w-    C:\windows\Sysnative\drivers\afd.sys
2017-05-10 16:35:27    945F4DA63A76EB2725C070BF3A86B5A5    154856    ----a-w-    C:\windows\Sysnative\drivers\ksecpkg.sys
2017-05-10 16:35:27    313DCA1458E213D6396037536A830A6F    287976    ----a-w-    C:\windows\Sysnative\drivers\FWPKCLNT.SYS
2017-05-10 16:35:27    1C5C49C1A07D33ACCABBABF66E605A1F    377576    ----a-w-    C:\windows\Sysnative\drivers\netio.sys
2017-05-10 16:35:27    15682ED7B70B186C9C2BE6CA423D8E74    95464    ----a-w-    C:\windows\Sysnative\drivers\ksecdd.sys
2017-05-10 16:35:26    FB68E4BB61CA0FFB45BDE11BA606891A    265448    ----a-w-    C:\windows\Sysnative\drivers\dxgmms1.sys
2017-05-10 16:35:26    42EDAB3E3E8E25C7093674936C2DB4BD    168960    ----a-w-    C:\windows\Sysnative\drivers\srvnet.sys
2017-05-10 16:35:26    054F780A442DB96F9FE10501B35E75CA    159744    ----a-w-    C:\windows\Sysnative\drivers\mrxsmb.sys
2017-05-10 16:35:25    A1EAC982807B3179DD92235B6B709C0A    291328    ----a-w-    C:\windows\Sysnative\drivers\mrxsmb10.sys
2017-05-10 16:35:24    E6B504F163094F2DB84F7D34A893FA00    129536    ----a-w-    C:\windows\Sysnative\drivers\mrxsmb20.sys
2017-05-10 16:35:24    00D77B30CA9CB1D7793AC952549331A0    62464    ----a-w-    C:\windows\Sysnative\drivers\appid.sys
====== C:\windows\Tasks ======
2017-05-28 19:12:20    E724E787DED552C73CA95A54E9C1E174    3894    ----a-w-    C:\windows\Sysnative\Tasks\SafeZone scheduled Autoupdate 1467713979
====== C:\windows\Temp ======
======= C:\Program Files =====
2017-06-07 16:04:26    --------    d-----w-    C:\Program Files\RogueKiller
======= C:\PROGRA~2 =====
======= C: =====
====== C:\Users\Dr. Feelgood\AppData\Roaming ======
2017-06-08 20:34:25    --------    d-----w-    C:\Users\DRF431~1.FEE\AppData\Local\VirtualStore
2017-06-08 20:34:25    --------    d-----w-    C:\Users\Dr. Feelgood\AppData\Local\VirtualStore
2017-06-08 20:33:55    --------    d-----w-    C:\Users\DRF431~1.FEE\AppData\Local\Microsoft
2017-06-08 20:33:55    --------    d-----w-    C:\Users\Dr. Feelgood\AppData\Local\Microsoft
2017-06-08 06:54:55    --------    d-----w-    C:\Users\DRF431~1.FEE\AppData\Roaming\IrfanView
2017-06-08 06:54:55    --------    d-----w-    C:\Users\Dr. Feelgood\AppData\Roaming\IrfanView
2017-06-01 19:36:55    --------    d-----w-    C:\Users\DRF431~1.FEE\AppData\Locallow\Mozilla
2017-06-01 19:36:55    --------    d-----w-    C:\Users\Dr. Feelgood\AppData\Locallow\Mozilla
2017-05-29 01:50:43    --------    d-----w-    C:\Users\DRF431~1.FEE\AppData\Roaming\StreamTorrent
2017-05-29 01:50:43    --------    d-----w-    C:\Users\Dr. Feelgood\AppData\Roaming\StreamTorrent
2017-05-29 01:49:41    --------    d-----w-    C:\Users\DRF431~1.FEE\AppData\Roaming\uTorrent
2017-05-29 01:49:41    --------    d-----w-    C:\Users\Dr. Feelgood\AppData\Roaming\uTorrent
2017-05-28 00:53:02    --------    d-----w-    C:\Users\DRF431~1.FEE\AppData\Local\Runscanner.net
2017-05-28 00:53:02    --------    d-----w-    C:\Users\Dr. Feelgood\AppData\Local\Runscanner.net
====== C:\Users\Dr. Feelgood ======
2017-06-08 20:34:40    FB29735260F071B76BDDF491E43721CF    207566    ----a-w-    C:\Users\Ak2ce5zj\cheekcollectioneffectiveness.mdb
2017-06-08 20:34:40    CDE2535B024ADBDA9E0ED2C6DC3E50B3    60110    ----a-w-    C:\Users\Ak2ce5zj\climbedvirginiabake.xls
2017-06-08 20:34:40    BD2B98E1AEC4AD56B142BFBF60BF11C8    223913    ----a-w-    C:\Users\Qfitfw\tonight_satisfy_distinction_harden.mdb
2017-06-08 20:34:40    B6A6862C5286FE7DD528299C5E009A79    517337    ----a-w-    C:\Users\Qfitfw\prospective pleasure lift later.xlsx
2017-06-08 20:34:40    B4055CA254CC4D384A4870DE4E9F220A    411005    ----a-w-    C:\Users\Ak2ce5zj\cushion-brown.doc
2017-06-08 20:34:40    AF1A7BDCAFB270B2340D60BE4C57E3FC    75108    ----a-w-    C:\Users\Qfitfw\generally expel precision.rtf
2017-06-08 20:34:40    A9B11D9DA52C5920EF78DF4696C8891E    252342    ----a-w-    C:\Users\Qfitfw\jesus.freddy.everywhere.science.docx
2017-06-08 20:34:40    994E799C117A399BF410AD5B9184E801    269706    ----a-w-    C:\Users\Ak2ce5zj\steps-manchester.docx
2017-06-08 20:34:40    63011E20ACF7DBE0D8274968BC11FCF8    14652    ----a-w-    C:\Users\Qfitfw\southeastruincalifornia.sql
2017-06-08 20:34:40    5C0711AC9A357629C6A60320FD64E9ED    511970    ----a-w-    C:\Users\Ak2ce5zj\2SYWfpzcHrT.xlsx
2017-06-08 20:34:40    4BB79392888F851DB8B960ECB5D643F2    80757    ----a-w-    C:\Users\Ak2ce5zj\youthnowinclineunite.rtf
2017-06-08 20:34:40    43D5CAD90E44AD6F54CA2FD55123B19E    14365    ----a-w-    C:\Users\Ak2ce5zj\estatedryingopinion.sql
2017-06-08 20:34:40    40DF3017B8CFFD70D7E622760FD37B3B    21078    ----a-w-    C:\Users\Qfitfw\YDlm2kTSjv.txt
2017-06-08 20:34:40    3F39719C486544B445DEAF5500D0ED94    53083    ----a-w-    C:\Users\Ak2ce5zj\ozg.pem
2017-06-08 20:34:40    3E52AE5708A8C38A80FF81018D110961    269206    ----a-w-    C:\Users\Ak2ce5zj\memory.defend.borrow.jpg
2017-06-08 20:34:40    335150C560D3D82D9EF80F9F740197E2    250622    ----a-w-    C:\Users\Qfitfw\eliminateddive.jpg
2017-06-08 20:34:40    2F48F06C55C59E2B5CCC896796043C10    412256    ----a-w-    C:\Users\Qfitfw\infer-simultaneous-nights.doc
2017-06-08 20:34:40    177D775219DBADD873B5199849927CBB    27087    ----a-w-    C:\Users\Ak2ce5zj\explicit_dispense.txt
2017-06-08 20:34:40    12796E3C06CD001B4C7C6BF6F3261722    65258    ----a-w-    C:\Users\Qfitfw\bRwi8nWWiku.xls
2017-06-08 20:34:40    10443BA292AB3BBB10EBFA374AD78825    54560    ----a-w-    C:\Users\Qfitfw\derived mystery.pem
2017-06-08 20:34:27    --------    d-----w-    C:\ProgramData\SWCUTemp
2017-06-07 16:07:23    07385FA405A7ED72497A58443A5331D1    35426672    ----a-w-    C:\Users\DRF431~1.FEE\Downloads\setup.exe
2017-06-07 16:07:23    07385FA405A7ED72497A58443A5331D1    35426672    ----a-w-    C:\Users\Dr. Feelgood\Downloads\setup.exe
2017-06-07 16:04:40    --------    d-----w-    C:\ProgramData\RogueKiller
2017-06-07 16:04:31    --------    d-----w-    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-06-07 16:02:43    07385FA405A7ED72497A58443A5331D1    35426672    ----a-w-    C:\Users\DRF431~1.FEE\Downloads\RogueKiller_setup_ref3(1).exe
2017-06-07 16:02:43    07385FA405A7ED72497A58443A5331D1    35426672    ----a-w-    C:\Users\Dr. Feelgood\Downloads\RogueKiller_setup_ref3(1).exe
2017-06-07 15:55:17    DD56EC4F23743414581E3E3B8BFF5EFA    2030536    ----a-w-    C:\Users\DRF431~1.FEE\Downloads\rkill.exe
2017-06-07 15:55:17    DD56EC4F23743414581E3E3B8BFF5EFA    2030536    ----a-w-    C:\Users\Dr. Feelgood\Downloads\rkill.exe
2017-06-07 15:53:19    07385FA405A7ED72497A58443A5331D1    35426672    ----a-w-    C:\Users\DRF431~1.FEE\Downloads\RogueKiller_setup_ref3.exe
2017-06-07 15:53:19    07385FA405A7ED72497A58443A5331D1    35426672    ----a-w-    C:\Users\Dr. Feelgood\Downloads\RogueKiller_setup_ref3.exe
2017-06-07 14:56:31    DC21F90D8C78D60CDC0EE9A47BC0DACD    64232976    ----a-w-    C:\Users\DRF431~1.FEE\Downloads\mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092.exe
2017-06-07 14:56:31    DC21F90D8C78D60CDC0EE9A47BC0DACD    64232976    ----a-w-    C:\Users\Dr. Feelgood\Downloads\mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092.exe
2017-06-06 16:52:42    87AED6AC2FEF9E3E2B0D3827332E9AFA    2435072    ----a-w-    C:\Users\DRF431~1.FEE\Downloads\FRST64(1).exe
2017-06-06 16:52:42    87AED6AC2FEF9E3E2B0D3827332E9AFA    2435072    ----a-w-    C:\Users\Dr. Feelgood\Downloads\FRST64(1).exe

====== C: exe-files ==
2017-06-07 16:08:20    706FCC683F0C39664180963FDCC547CF    799304    ----a-w-    C:\Program Files\RogueKiller\unins000.exe
2017-06-07 16:07:23    07385FA405A7ED72497A58443A5331D1    35426672    ----a-w-    C:\Users\Dr. Feelgood\Downloads\setup.exe
2017-06-07 16:04:30    C9470132F21F74B8A92DF4D086A18BAB    10981960    ----a-w-    C:\Program Files\RogueKiller\RogueKillerCMD64.exe
2017-06-07 16:04:30    9F65B7589A692BA61EAB26CC4345B288    13391432    ----a-w-    C:\Program Files\RogueKiller\Updater.exe
2017-06-07 16:04:29    011E7B1BEB8B363B1DBFFE94CC43A14C    9388104    ----a-w-    C:\Program Files\RogueKiller\RogueKillerCMD.exe
2017-06-07 16:04:28    6B33AE13288132F7D6A801C4426CF758    26377288    ----a-w-    C:\Program Files\RogueKiller\RogueKiller64.exe
2017-06-07 16:04:27    3DA37979623A8755039085035F79A197    22018120    ----a-w-    C:\Program Files\RogueKiller\RogueKiller.exe
2017-06-07 16:02:43    07385FA405A7ED72497A58443A5331D1    35426672    ----a-w-    C:\Users\Dr. Feelgood\Downloads\RogueKiller_setup_ref3(1).exe
2017-06-07 15:55:17    DD56EC4F23743414581E3E3B8BFF5EFA    2030536    ----a-w-    C:\Users\Dr. Feelgood\Downloads\rkill.exe
2017-06-07 15:53:19    07385FA405A7ED72497A58443A5331D1    35426672    ----a-w-    C:\Users\Dr. Feelgood\Downloads\RogueKiller_setup_ref3.exe
2017-06-07 14:56:31    DC21F90D8C78D60CDC0EE9A47BC0DACD    64232976    ----a-w-    C:\Users\Dr. Feelgood\Downloads\mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092.exe
2017-06-06 16:52:42    87AED6AC2FEF9E3E2B0D3827332E9AFA    2435072    ----a-w-    C:\Users\Dr. Feelgood\Downloads\FRST64(1).exe
2017-06-06 16:52:42    0523D21F434FC528CFCAC809468C0441    2433536    ----a-w-    C:\Users\Dr. Feelgood\Downloads\FRST-OlderVersion\FRST64(1).exe
=== C: other files ==
2017-06-08 15:36:52    7A4D322FDB021752F498839A1C18CC42    1717    ----a-w-    C:\Users\Dr. Feelgood\AppData\Local\Temp\xpi\tmp.zip
2017-06-07 16:08:55    0D5A09B08568760AE85A801FCBC0F83D    28272    ----a-w-    C:\windows\System32\drivers\TrueSight.sys
2017-06-07 15:41:32    0C1251A7A0250B365C03B120B84AABE8    557812    ----a-w-    C:\Users\Dr. Feelgood\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
2017-06-06 20:05:19    1E128C63814041A2A4EE6123CBEDB0F6    2943437    ----a-w-    C:\Users\Mike\Downloads\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions\staged\https-everywhere-eff@eff.org.xpi
2017-06-06 16:52:44    E5D4E82E5E0C38D78E6557C44211D7D9    10465    ----a-w-    C:\Users\Dr. Feelgood\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default\features\{e3cfab2e-76a3-4e14-bcdd-93a5195e70b2}\followonsearch@mozilla.com.xpi
2017-06-06 16:52:44    8C57F78CC0280C2A665747454B9F2398    44954    ----a-w-    C:\Users\Dr. Feelgood\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default\features\{e3cfab2e-76a3-4e14-bcdd-93a5195e70b2}\shield-recipe-client@mozilla.org.xpi
2017-06-05 23:34:43    E5D4E82E5E0C38D78E6557C44211D7D9    10465    ----a-w-    C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893\features\{5529bc08-a4be-4749-9d9c-81adb8747ddd}\followonsearch@mozilla.com.xpi
2017-06-05 23:34:43    8C57F78CC0280C2A665747454B9F2398    44954    ----a-w-    C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893\features\{5529bc08-a4be-4749-9d9c-81adb8747ddd}\shield-recipe-client@mozilla.org.xpi

==== Startup Registry Enabled ======================

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files (x86)\Skype\Phone\Skype.exe /minimized /regrun"
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

[HKEY_USERS\S-1-5-21-1486635349-3231517910-980370596-1018\Software\Microsoft\Windows\CurrentVersion\Run]
"EPLTarget\P0000000000000000"="C:\windows\system32\spool\DRIVERS\x64\3\E_YATIRHE.EXE /EPT EPLTarget\P0000000000000000 /M XP-640 Series /EF HKCU"
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\Windows\System32\mctadmin.exe"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\Windows\System32\mctadmin.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDRegion"="C:\Program Files (x86)\Cyberlink\Shared files\brs.exe"
"UpdateP2GShortCut"="C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe C:\Program Files (x86)\Lenovo\Power2Go UpdateWithCreateOnce SOFTWARE\CyberLink\Power2Go\5.0"
"UpdatePRCShortCut"="C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe C:\Program Files\Lenovo\OneKey App\OneKey Recovery UpdateWithCreateOnce Software\Lenovo\OneKey App\OneKey Recovery"
"EEventManager"="C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"EPLTarget\P0000000000000000"="C:\windows\system32\spool\DRIVERS\x64\3\E_YATIRHE.EXE /EPT EPLTarget\P0000000000000000 /M XP-640 Series /EF HKCU"
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

==== Startup Registry Enabled x64 ======================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s"
"Lenovo EE Boot Optimizer"="C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe"
"OnekeyStudio"="C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe"
"UpdatePRCShortCut"="C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe C:\Program Files\Lenovo\OneKey App\OneKey Recovery UpdateWithCreateOnce Software\Lenovo\OneKey App\OneKey Recovery"
"Energy Management"="C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe"
"EnergyUtility"="C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe"
"IgfxTray"="C:\windows\system32\igfxtray.exe"
"HotKeysCmds"="C:\windows\system32\hkcmd.exe"
"Persistence"="C:\windows\system32\igfxpers.exe"
"AvastUI.exe"="C:\Program Files\AVAST Software\Avast\AvLaunch.exe /gui"
"Malwarebytes TrayApp"="C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe"
"SynTPEnh"="%ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe "

==== Startup Registry Disabled x64 ======================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe ARM]
"key"="SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Adobe ARM"
"hkey"="HKLM"
"command"="\"C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CCleaner Monitoring]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CCleaner Monitoring"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl10]
"key"="SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RemoteControl10"
"hkey"="HKLM"
"command"="\"C:\\Program Files (x86)\\Lenovo\\PowerDVD10\\PDVD10Serv.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\S6000Mnt]
"key"="SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="S6000Mnt"
"hkey"="HKLM"
"command"="C:\\windows\\SysWOW64\\Rundll32.exe S6000Rmv.dll,WinMainRmv /StartStillMnt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VeriFaceManager]
"key"="SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VeriFaceManager"
"hkey"="HKLM"
"command"="C:\\Program Files (x86)\\Lenovo\\VeriFace\\PManage.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\YouCam Mirage]
"key"="SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YouCam Mirage"
"hkey"="HKLM"
"command"="\"C:\\Program Files (x86)\\Lenovo\\YouCam\\YCMMirage.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\YouCam Tray]
"key"="SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YouCam Tray"
"hkey"="HKLM"
"command"="\"C:\\Program Files (x86)\\Lenovo\\YouCam\\YouCam.exe\" /s"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
"path"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Bluetooth.lnk"
"backup"="C:\\windows\\pss\\Bluetooth.lnk.CommonStartup"
"backupExtension"=".CommonStartup"
"command"="C:\\PROGRA~1\\Lenovo\\BLUETO~1\\BTTray.exe "
"item"="Bluetooth"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\!SASCORE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\WinDefend]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\WMPNetworkSvc]


==== Task Scheduler Jobs ======================

C:\windows\tasks\EPSON XP-640 Series Update {0DE57EA7-7786-46F5-B9B8-CA35346DBE4C}.job --a------ C:\windows\system32\spool\DRIVERS\x64\3\E_YTSRHE.exe [11/21/2013 09:30 AM]
C:\windows\tasks\WpsNotifyTask_Mike.job --a------ C:\Program Files (x86)\Kingsoft\Kingsoft Office\wtoolex\wpsnotify.exe [12/26/2013 09:00 AM]
C:\windows\tasks\WpsUpdateTask_Mike.job --a------ C:\Program Files (x86)\Kingsoft\Kingsoft Office\wtoolex\wpsupdate.exe [01/20/2017 12:01 AM]

==== Other Scheduled Tasks ======================

"C:\windows\SysNative\tasks\Adobe Acrobat Update Task" [C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe]
"C:\windows\SysNative\tasks\Avast Emergency Update" [C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe]
"C:\windows\SysNative\tasks\CCleanerSkipUAC" ["C:\Program Files\CCleaner\CCleaner.exe"]
"C:\windows\SysNative\tasks\Cybereason RansomFree Autostart" ["C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFree.exe"]
"C:\windows\SysNative\tasks\Cybereason RansomFree Keepalive" ["C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFree.exe"]
"C:\windows\SysNative\tasks\EPSON XP-640 Series Update {0DE57EA7-7786-46F5-B9B8-CA35346DBE4C}" [C:\windows\system32\spool\DRIVERS\x64\3\E_YTSRHE.EXE]
"C:\windows\SysNative\tasks\GoogleUpdateTaskMachineCore" [C:\Program Files (x86)\Google\Update\GoogleUpdate.exe]
"C:\windows\SysNative\tasks\GoogleUpdateTaskMachineUA" [C:\Program Files (x86)\Google\Update\GoogleUpdate.exe]
"C:\windows\SysNative\tasks\MirageAgent" [C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe]
"C:\windows\SysNative\tasks\SafeZone scheduled Autoupdate 1467713979" [C:\Program Files\AVAST Software\SZBrowser\launcher.exe]
"C:\windows\SysNative\tasks\User_Feed_Synchronization-{88B4C5C7-F719-4C33-AFB5-7B70182C28F6}" [C:\windows\system32\msfeedssync.exe]
"C:\windows\SysNative\tasks\WpsNotifyTask_Mike" [C:\Program Files (x86)\Kingsoft\Kingsoft Office\wtoolex\wpsnotify.exe]
"C:\windows\SysNative\tasks\WpsUpdateTask_Mike" [C:\Program Files (x86)\Kingsoft\Kingsoft Office\wtoolex\wpsupdate.exe]
"C:\windows\SysNative\tasks\AVAST Software\Avast settings backup" [C:\Program Files\Common Files\AV\avast Antivirus\backup.exe]
"C:\windows\SysNative\tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask" [%systemroot%\system32\sc.exe start osppsvc]

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\DRF431~1.FEE\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\ovlob6v9.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893
user_pref("browser.startup.homepage", "http://sfbay.craigslist.org/eby/");
user_pref("browser.search.defaultengine", "Yahoo! (Avast)");
user_pref("browser.search.defaultenginename", "Yahoo! (Avast)");
user_pref("browser.search.defaultenginename.US", "Google");
user_pref("browser.search.selectedEngine", "Yahoo! (Avast)");
 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 AM

Posted 09 June 2017 - 12:57 PM



Can you disable Cybereason and run the Zoek tool as suggested in post No. 10.

Disable Zoek if it takes longer that 30 Mins..

#15 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 09 June 2017 - 02:13 PM

Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Dr. Feelgood on Fri 06/09/2017 at 11:26:12.21.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Dr. Feelgood\Downloads\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2017-06-08-152917.log    7983 bytes
C:\zoek-results2017-06-09-151035.log    25428 bytes

==== System Restore Info ======================

6/9/2017 11:27:26 AM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Users\Dr. Feelgood\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

Deleted from C:\Users\DRF431~1.FEE\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

Added to C:\Users\DRF431~1.FEE\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

Deleted from C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\ovlob6v9.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

Added to C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\ovlob6v9.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

Deleted from C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893\prefs.js:
user_pref("browser.startup.homepage", "http://sfbay.craigslist.org/eby/");
user_pref("browser.search.defaultengine", "Yahoo! (Avast)");
user_pref("browser.search.defaultenginename", "Yahoo! (Avast)");
user_pref("browser.search.defaultenginename.US", "Google");
user_pref("browser.search.selectedEngine", "Yahoo! (Avast)");
user_pref("browser.search.order.1", "Yahoo! (Avast)");
user_pref("browser.search.suggest.enabled", false);
user_pref("browser.search.useDBForOrder", true);

Added to C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\DRF431~1.FEE\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20170609_1150_.backup

ProfilePath: C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\ovlob6v9.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20170609_1150_.backup

ProfilePath: C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20170609_1150_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

"C:\windows\Installer\17663e.msi" not found

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\DRF431~1.FEE\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\ovlob6v9.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Firefox Extensions ======================

ProfilePath: C:\Users\DRF431~1.FEE\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default
- Undetermined - %ProfilePath%\extensions\sp@avast.com.xpi
- Undetermined - %ProfilePath%\extensions\wrc@avast.com.xpi
- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

ProfilePath: C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\ovlob6v9.default
- Undetermined - %ProfilePath%\extensions\sp@avast.com.xpi
- Undetermined - %ProfilePath%\extensions\wrc@avast.com.xpi

ProfilePath: C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893
- Tails Download and Verify - %ProfilePath%\extensions\dave@tails.boum.org.xpi
- Undetermined - %ProfilePath%\extensions\sp@avast.com.xpi
- Undetermined - %ProfilePath%\extensions\wrc@avast.com.xpi
- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

AppDir: C:\Program Files\Mozilla Firefox
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\Dr. Feelgood\AppData\Roaming\Mozilla\Firefox\Profiles\260paz3a.default
F3CA2CB85343242C90065137BED6357D    - c:\Program Files\Microsoft Silverlight\5.1.50906.0\npctrl.dll -    Silverlight Plug-In
906061B57CF52CFE36F307F255B4D44E    - c:\Program Files\Microsoft Silverlight\5.1.50906.0\npctrlui.dll -    Microsoft® Silverlight


==== Chromium Look ======================



==== Chromium Startpages ======================

C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Preferences
"startup_urls": [ "http://www.google.com/" ],


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://www.google.com/ig/redirectdomain?brand=LENN&bmod=LENN"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Unknown  Url="http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LENN"

==== Reset Google Chrome ======================

C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\35249B28CBF397743BFB6C09DA45FABD deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{82B94253-3FBC-4779-B3BF-C690AD54AFDB} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\35249B28CBF397743BFB6C09DA45FABD deleted successfully

==== Empty IE Cache ======================

C:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Dr. Feelgood\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Dr. Feelgood\AppData\Local\Mozilla\Firefox\Profiles\260paz3a.default\cache2 emptied successfully
C:\Users\Guest\AppData\Local\Mozilla\Firefox\Profiles\ovlob6v9.default\Cache emptied successfully
C:\Users\Mike\AppData\Local\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893\cache2 emptied successfully
C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893\storage\default\https+++twitter.com\cache emptied successfully
C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893\storage\default\https+++www.washingtonpost.com\cache emptied successfully
C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6puf6ay5.default-1440978726893\storage\default\https+++www.youtube.com\cache emptied successfully
C:\Users\DRF431~1.FEE\AppData\Local\Mozilla\Firefox\Profiles\260paz3a.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=232 folders=102 176762336 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Dr. Feelgood\AppData\Local\Temp will be emptied at reboot
C:\Users\Guest\AppData\Local\Temp emptied successfully
C:\Users\Mike\AppData\Local\Temp emptied successfully
C:\Users\DRF431~1.FEE\AppData\Local\Temp will be emptied at reboot
C:\windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\windows\Temp successfully emptied
C:\Users\DRF431~1.FEE\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\UsrClass.dat"  not deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1"  not deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2"  not deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\UsrClass.dat{b1ea2ae9-43d8-11e7-a49d-6427378b2e0d}.TM.blf"  not found
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\UsrClass.dat{b1ea2ae9-43d8-11e7-a49d-6427378b2e0d}.TMContainer00000000000000000001.regtrans-ms"  not found
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\UsrClass.dat{b1ea2ae9-43d8-11e7-a49d-6427378b2e0d}.TMContainer00000000000000000002.regtrans-ms"  not found
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\WebCacheLock.dat"  not deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\WindowsUpdate.log"  deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db"  deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db"  deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db"  deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db"  deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db"  deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat"  not deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\WebCache\V01.log"  not deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat"  not deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp"  not deleted
"C:\Users\DRF431~1.FEE\AppData\Local\Microsoft"  not deleted

==== EOF on Fri 06/09/2017 at 12:09:00.34 ======================

 

 

 

Scan did complete!

Pausing Cybereason in addition pausing Avast and exiting my browser did the trick, but zoek still does run fairly hot.

I probably wouldn't have noticed on a desktop, but I'm a left handed laptop user so my hand rests right over the processor when I type.

I don't know if any of the tools we've run has caused this, but I noticed my desktop icons have been rearranged as well as my start menu settings have changed. Nothing added or deleted, just changed.

I did try to delete a user with no luck.
 


Edited by zse45tgb, 10 June 2017 - 02:25 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users